DCHECK failure in (has_shared_memory) != nullptr in module-decoder.cc |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6739724258246656 Fuzzer: binaryen_wasm_fuzzer Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: (has_shared_memory) != nullptr in module-decoder.cc V8_Dcheck v8::internal::wasm::ModuleDecoderImpl::consume_resizable_limits Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=48018:48019 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6739724258246656 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 16 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/0202a040c99c7f4384b5cdc553544b9669e561e9 ([wasm] Module bytes can set shared attribute on memory). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jun 16 2018
,
Jun 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f2b90bd4dcbc87c4bf9ca8b6025cb82c7bf9210a commit f2b90bd4dcbc87c4bf9ca8b6025cb82c7bf9210a Author: Deepti Gandluri <gdeepti@chromium.org> Date: Fri Jun 22 15:06:39 2018 [wasm] Catch invalid flags correctly Cleanup decoding of flags so that invalid flags for sections other than memory are caught correctly. Bug: chromium:853453 Change-Id: Ia347d5f7672eee93ca3f6a743f06fba629f55cb5 Reviewed-on: https://chromium-review.googlesource.com/1104976 Commit-Queue: Deepti Gandluri <gdeepti@chromium.org> Reviewed-by: Ben Smith <binji@chromium.org> Cr-Commit-Position: refs/heads/master@{#53972} [modify] https://crrev.com/f2b90bd4dcbc87c4bf9ca8b6025cb82c7bf9210a/src/wasm/module-decoder.cc [add] https://crrev.com/f2b90bd4dcbc87c4bf9ca8b6025cb82c7bf9210a/test/mjsunit/regress/wasm/regress-853453.js
,
Jun 22 2018
After triage, please leave a comment on if the bug can have security implications.
,
Jun 22 2018
The binaryen fuzzer enables WebAssembly threads by default, which is currently gated by a flag (WebAssemblyThreads) in Chrome, this bug can not be triggered without using the flag - reducing security severity accordingly.
,
Jun 23 2018
,
Jun 24 2018
ClusterFuzz has detected this issue as fixed in range 53971:53972. Detailed report: https://clusterfuzz.com/testcase?key=6739724258246656 Fuzzer: binaryen_wasm_fuzzer Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: (has_shared_memory) != nullptr in module-decoder.cc V8_Dcheck v8::internal::wasm::ModuleDecoderImpl::consume_resizable_limits Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=48018:48019 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=53971:53972 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6739724258246656 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 24 2018
ClusterFuzz testcase 6739724258246656 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 26 2018
,
Jun 29 2018
The VRP panel took a look at this and concluded it's a non-exploitable null dereference, I'm afraid. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by infe...@chromium.org
, Jun 16 2018Components: Blink>JavaScript>WebAssembly