New issue
Advanced search Search tips

Issue 819871 link

Starred by 1 user
Status: Verified
Owner:
jkummerow@chromium.org
Closed: Mar 2018
Cc:
jkummerow@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: API call returned invalid object in objects-inl.h

Project Member Reported by ClusterFuzz, Mar 8 2018 
Detailed report: https://clusterfuzz.com/testcase?key=6068219622981632

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8_dbg
Platform Id: windows

Crash Type: CHECK failure
Crash Address: 
Crash State:
  API call returned invalid object in objects-inl.h
  v8::platform::PrintStackTrace
  v8::internal::Object::VerifyApiCallResultType
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=51672:51675

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6068219622981632

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, Mar 8 2018

Labels: Pri-1

Comment 2 by mbarbe...@chromium.org, Mar 9 2018

Cc: gdeepti@chromium.org jkummerow@chromium.org
Labels: Security_Impact-Head
Adding ccs from non-trivial CLs in the regression range.

Comment 3 by jkummerow@chromium.org, Mar 9 2018

Cc: -gdeepti@chromium.org
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Impact-Head -Security_Severity-High Type-Bug
Owner: jkummerow@chromium.org
Status: Started (was: Untriaged)
Clusterfuzz is awesome.

The sanity check in VerifyApiCallResultType doesn't know about BigInts yet. No security implications.

Fix: https://chromium-review.googlesource.com/#/c/v8/v8/+/957422
Project Member

Comment 4 by bugdroid1@chromium.org, Mar 10 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/0c0847bea49c61214eb734c2caa8068d13504ec0

commit 0c0847bea49c61214eb734c2caa8068d13504ec0
Author: Jakob Kummerow <jkummerow@chromium.org>
Date: Sat Mar 10 02:47:20 2018

[bigint] Fix Object::VerifyApiCallResultType

Add BigInt to the list of allowed result types.

Bug:  v8:6791 ,  chromium:819871 
Change-Id: Ib636859da07b38c462ce7017d720e5370ba618d6
Reviewed-on: https://chromium-review.googlesource.com/957422
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51859}
[modify] https://crrev.com/0c0847bea49c61214eb734c2caa8068d13504ec0/src/objects-inl.h
[modify] https://crrev.com/0c0847bea49c61214eb734c2caa8068d13504ec0/test/mjsunit/harmony/bigint/regressions.js

Comment 5 by jkummerow@chromium.org, Mar 10 2018

Status: Fixed (was: Started)
Project Member

Comment 6 by ClusterFuzz, Mar 10 2018 

ClusterFuzz has detected this issue as fixed in range 51858:51859.

Detailed report: https://clusterfuzz.com/testcase?key=6068219622981632

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8_dbg
Platform Id: windows

Crash Type: CHECK failure
Crash Address: 
Crash State:
  API call returned invalid object in objects-inl.h
  v8::platform::PrintStackTrace
  v8::internal::Object::VerifyApiCallResultType
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=51672:51675
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=51858:51859

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6068219622981632

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Mar 10 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6068219622981632 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment