New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Mar 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

CHECK failure: InstructionSelector::SupportsSpeculationPoisoning() in pipeline.cc

Project Member Reported by ClusterFuzz, Mar 12 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5351986447515648

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  InstructionSelector::SupportsSpeculationPoisoning() in pipeline.cc
  v8::internal::compiler::PipelineImpl::SelectInstructions
  v8::internal::compiler::PipelineImpl::OptimizeGraph
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_mipsel_dbg&range=51877:51878

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5351986447515648

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Mar 12 2018

Components: Blink>JavaScript>Compiler
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Mar 12 2018

Labels: Test-Predator-Auto-Owner
Owner: jarin@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/cdcc39e7f929cdc28020f006a7b2d657eb52eb94 (Stage --branch-load-poisoning behind --future.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by jarin@chromium.org, Mar 13 2018

Cc: jarin@chromium.org
Owner: mvstan...@chromium.org
Michael, what is the status of the mips port? Would it be possible to pretend the poisoning can be enabled there? (Without actually doing it.)
Hi Jaro,
I have a short meeting at 11:30 today with Ivica about the conditional move section of the CL.

The CL could be checked in "as is" and she can then land the conditional move afterwards. It is here: https://chromium-review.googlesource.com/c/v8/v8/+/951382


Project Member

Comment 5 by sheriffbot@chromium.org, Mar 13 2018

Labels: Pri-1

Comment 6 by est...@chromium.org, Mar 13 2018

Labels: Security_Impact-Head M-67
Project Member

Comment 7 by sheriffbot@chromium.org, Mar 14 2018

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by ClusterFuzz, Mar 22 2018

ClusterFuzz has detected this issue as fixed in range 52122:52123.

Detailed report: https://clusterfuzz.com/testcase?key=5351986447515648

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  InstructionSelector::SupportsSpeculationPoisoning() in pipeline.cc
  v8::internal::compiler::PipelineImpl::SelectInstructions
  v8::internal::compiler::PipelineImpl::OptimizeGraph
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_mipsel_dbg&range=51877:51878
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_mipsel_dbg&range=52122:52123

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5351986447515648

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Mar 22 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5351986447515648 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by sheriffbot@chromium.org, Mar 22 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -ReleaseBlock-Stable
Project Member

Comment 12 by sheriffbot@chromium.org, Jun 28

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment