Timeout in v8_wasm_code_fuzzer |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6008276043694080 Fuzzer: libFuzzer_v8_wasm_code_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Timeout (exceeds 25 secs) Crash Address: Crash State: v8_wasm_code_fuzzer Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=575159:575160 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6008276043694080 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Jul 18
Might be related to issue 849170 .
,
Jul 18
ClusterFuzz has detected this issue as fixed in range 575757:575759. Detailed report: https://clusterfuzz.com/testcase?key=6008276043694080 Fuzzer: libFuzzer_v8_wasm_code_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Timeout (exceeds 25 secs) Crash Address: Crash State: v8_wasm_code_fuzzer Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=575159:575160 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=575757:575759 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6008276043694080 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 18
ClusterFuzz testcase 6008276043694080 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 19
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/8f07a87df0090f74f08573e3af700defa6590f56 commit 8f07a87df0090f74f08573e3af700defa6590f56 Author: Andreas Haas <ahaas@chromium.org> Date: Thu Jul 19 08:55:55 2018 [wasm][fuzzer] Do not execute code with potential non-determinism The WebAssembly spec is not fully deterministic: the sign bit of NaN can be arbitrary. This sign bit can be observed by several WebAssembly opcodes. In the testcase the sign bit of NaN makes the difference between terminating code and an infinite loop. In the libfuzzer fuzzer we have to prevent infinite loops ourselves. At the moment we do this by only execute generated code of WebAssembly modules for which the interpretation of the code ends in a limited number of steps. With the non-determinism described above we cannot guarantee the absence of infinite loops with this method. Therefore we stop now to execute generated code of WebAssembly modules for which we observe possible non-determinism in the interpreter. R=clemensh@chromium.org Bug: chromium:863829 Change-Id: I461d67df87d672bed25d6c915ba7ea5134cb5890 Reviewed-on: https://chromium-review.googlesource.com/1141945 Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#54541} [modify] https://crrev.com/8f07a87df0090f74f08573e3af700defa6590f56/test/fuzzer/wasm-fuzzer-common.cc |
|||
►
Sign in to add a comment |
|||
Comment 1 by kkaluri@chromium.org
, Jul 17