Issue 875199 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 871747
Owner:	ahaas@chromium.org
Closed:	Aug 23
Cc:	mstarzinger@chromium.org
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Stability-Memory-AddressSanitizer Clusterfuzz Unreproducible Stability-AFL Test-Predator-Auto-Components

Ill in v8::internal::wasm::fuzzer::WasmExecutionFuzzer::FuzzWasmModule

Project Member Reported by ClusterFuzz, Aug 17

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4953826868854784

Fuzzer: afl_v8_wasm_code_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Ill
Crash Address: 0x00000209f518
Crash State:
  v8::internal::wasm::fuzzer::WasmExecutionFuzzer::FuzzWasmModule
  wasm-code.cc
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4953826868854784

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.

Project Member

Comment 1 by ClusterFuzz, Aug 17

Components: Blink>JavaScript
Labels: Test-Predator-Auto-Components

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 2 by ishell@chromium.org, Aug 21

Cc: mstarzinger@chromium.org
Owner: ahaas@chromium.org
Status: Assigned (was: Untriaged)

Neither CF nor I was able to reproduce the issue, maybe you will more lucky. PTAL.

Comment 3 by ahaas@chromium.org, Aug 23

Mergedinto: 871747
Status: Duplicate (was: Assigned)

This looks very much like a duplicate. The ClusterFuzz team said that this may be an issue with the AFL fuzzer.

Project Member

Comment 4 by bugdroid1@chromium.org, Aug 24

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/88f4eab8ee5a1f0f33cbe3c25f81f9cfdf47d184

commit 88f4eab8ee5a1f0f33cbe3c25f81f9cfdf47d184
Author: Jonathan Metzman <metzman@chromium.org>
Date: Fri Aug 24 16:45:36 2018

[AFL] Opt v8 fuzzers out of AFL's forkserver

Allow fuzzers to opt out of using AFL's forkserver. Also opt v8 fuzzers
out of using it.
v8 fuzzers start threads when LLVMFuzzerInitialize is called. This breaks
AFL's forkserver because one cannot fork after a thread has started.
This is a speculative fix for  crbug.com/875199 

Bug: 797798,  875199 , 796680
Change-Id: I12e8408afaba9c9ca435d031e4263fcc2f80c67f
Reviewed-on: https://chromium-review.googlesource.com/1187835
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Commit-Queue: Jonathan Metzman <metzman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#585874}
[modify] https://crrev.com/88f4eab8ee5a1f0f33cbe3c25f81f9cfdf47d184/testing/libfuzzer/fuzzer_test.gni
[modify] https://crrev.com/88f4eab8ee5a1f0f33cbe3c25f81f9cfdf47d184/testing/libfuzzer/fuzzers/BUILD.gn
[modify] https://crrev.com/88f4eab8ee5a1f0f33cbe3c25f81f9cfdf47d184/testing/libfuzzer/gen_fuzzer_config.py

►

Issue 875199 link

Issue metadata

Ill in v8::internal::wasm::fuzzer::WasmExecutionFuzzer::FuzzWasmModule

Issue description

Comment 1 by ClusterFuzz, Aug 17

Comment 1 Deleted

Comment 2 by ishell@chromium.org, Aug 21

Comment 2 Deleted

Comment 3 by ahaas@chromium.org, Aug 23

Comment 3 Deleted

Comment 4 by bugdroid1@chromium.org, Aug 24

Comment 4 Deleted

Sign in to add a comment