Issue metadata
Sign in to add a comment
|
DCHECK failure in func_index == code->index() in wasm-code-manager.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4629797553307648 Fuzzer: ochang_js_fuzzer Job Type: linux_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: func_index == code->index() in wasm-code-manager.cc Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=52525:52526 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4629797553307648 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Apr 19 2018
,
Apr 20 2018
,
Apr 20 2018
,
Apr 20 2018
,
Apr 21 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
,
Apr 27 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/903d87312e1e7cd145a6baa0c77696f1288e2a89 commit 903d87312e1e7cd145a6baa0c77696f1288e2a89 Author: Ben L. Titzer <titzer@chromium.org> Date: Fri Apr 27 08:27:56 2018 [wasm] Fix target instance for indirect calls to imports In the case of an indirect call to an imported function, the target instance stored in the IFT was actually wrong. Bug: chromium:834619 Change-Id: Id2ac4158335ecf2b58e1983ce37df852a9ebd1b2 Reviewed-on: https://chromium-review.googlesource.com/1030174 Commit-Queue: Ben Titzer <titzer@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#52831} [modify] https://crrev.com/903d87312e1e7cd145a6baa0c77696f1288e2a89/src/wasm/function-compiler.cc [modify] https://crrev.com/903d87312e1e7cd145a6baa0c77696f1288e2a89/src/wasm/module-compiler.cc [modify] https://crrev.com/903d87312e1e7cd145a6baa0c77696f1288e2a89/src/wasm/wasm-code-manager.cc [add] https://crrev.com/903d87312e1e7cd145a6baa0c77696f1288e2a89/test/mjsunit/regress/wasm/regress-834619.js [modify] https://crrev.com/903d87312e1e7cd145a6baa0c77696f1288e2a89/test/mjsunit/wasm/indirect-tables.js
,
Apr 27 2018
,
Apr 27 2018
,
Apr 27 2018
+awhalley@ for M67 merge review (Pls note CL listed at #8 is not yet baked in canary).
,
Apr 28 2018
ClusterFuzz has detected this issue as fixed in range 52830:52831. Detailed report: https://clusterfuzz.com/testcase?key=4629797553307648 Fuzzer: ochang_js_fuzzer Job Type: linux_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: func_index == code->index() in wasm-code-manager.cc Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=52525:52526 Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=52830:52831 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4629797553307648 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 28 2018
ClusterFuzz testcase 4629797553307648 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Apr 28 2018
This bug requires manual review: M67 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 29 2018
awhalley@ for M67 merge review.
,
Apr 30 2018
The NextAction date has arrived: 2018-04-30
,
May 1 2018
govind - good for 67
,
May 1 2018
Approving merge to M67 branch 3396 based on comment #17. Please merge ASAP so we can pick it up for tomorrow's beta release. Thank you.
,
May 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/977a8341fc8385c90cd89f89052fe70abc39f51f commit 977a8341fc8385c90cd89f89052fe70abc39f51f Author: Ben L. Titzer <titzer@google.com> Date: Wed May 02 11:01:43 2018 Merged: [wasm] Fix target instance for indirect calls to imports Revision: 903d87312e1e7cd145a6baa0c77696f1288e2a89 BUG= chromium:834619 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=clemensh@chromium.org Change-Id: Ic268091c467ad8f131a247b501b38d12d76c93fa Reviewed-on: https://chromium-review.googlesource.com/1039198 Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/branch-heads/6.7@{#49} Cr-Branched-From: 8457e810efd34381448d51d93f50079cf1f6a812-refs/heads/6.7.288@{#2} Cr-Branched-From: e921be5c4f2c6407936bde750992dedbf47c1016-refs/heads/master@{#52547} [modify] https://crrev.com/977a8341fc8385c90cd89f89052fe70abc39f51f/src/wasm/module-compiler.cc [modify] https://crrev.com/977a8341fc8385c90cd89f89052fe70abc39f51f/src/wasm/wasm-code-manager.cc [add] https://crrev.com/977a8341fc8385c90cd89f89052fe70abc39f51f/test/mjsunit/regress/wasm/regress-834619.js [modify] https://crrev.com/977a8341fc8385c90cd89f89052fe70abc39f51f/test/mjsunit/wasm/indirect-tables.js
,
May 2 2018
Already merged to M67 at #19.
,
Jun 5 2018
,
Aug 3
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Apr 19 2018Owner: titzer@chromium.org
Status: Assigned (was: Untriaged)