DCHECK failure in save_days == DaysFromYearMonth(*year, 0) + days in date.cc |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5183725324992512 Fuzzer: ochang_js_fuzzer_win Job Type: windows_asan_d8_dbg Platform Id: windows Crash Type: DCHECK failure Crash Address: Crash State: save_days == DaysFromYearMonth(*year, 0) + days in date.cc v8::platform::PrintStackTrace v8::internal::DateCache::YearMonthDayFromDays Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5183725324992512 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 26
Ulan, that check seems to be in the code since your initial CL in 2012. Can you take a look please? +Benedikt, who also worked on the code in between.
,
Nov 26
It looks like a correctness issue, not security. In the worst case it gives an incorrect date. I suggest removing the Security_Severity-High label.
new Date("-422480-(-8)");
Debug check failed: save_days == DaysFromYearMonth(*year, 0) + days (-155027179 vs. -155027178).
,
Nov 26
Removing security labels based on comment 3.
,
Nov 26
Thanks! The fix is in flight: https://chromium-review.googlesource.com/c/v8/v8/+/1350996
,
Nov 27
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/276c56269fc9053149b516885701c9a9d7ea004d commit 276c56269fc9053149b516885701c9a9d7ea004d Author: Ulan Degenbaev <ulan@chromium.org> Date: Tue Nov 27 10:28:30 2018 Add date range validity check to the date parser. Now the parser rejects dates outside the [-8640e12ms, 8640e12ms] range as specified by ES6 section 20.3.1.1. Bug: chromium:908248 , v8:7781 Change-Id: I3391ce7398c971d54794e5011564a0527794667a Reviewed-on: https://chromium-review.googlesource.com/c/1350996 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#57862} [modify] https://crrev.com/276c56269fc9053149b516885701c9a9d7ea004d/src/builtins/builtins-date.cc [modify] https://crrev.com/276c56269fc9053149b516885701c9a9d7ea004d/test/mjsunit/date.js [modify] https://crrev.com/276c56269fc9053149b516885701c9a9d7ea004d/test/test262/test262.status
,
Nov 28
ClusterFuzz has detected this issue as fixed in range 57861:57862. Detailed report: https://clusterfuzz.com/testcase?key=5183725324992512 Fuzzer: ochang_js_fuzzer_win Job Type: windows_asan_d8_dbg Platform Id: windows Crash Type: DCHECK failure Crash Address: Crash State: save_days == DaysFromYearMonth(*year, 0) + days in date.cc v8::platform::PrintStackTrace v8::internal::DateCache::YearMonthDayFromDays Sanitizer: address (ASAN) Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=57861:57862 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5183725324992512 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 28
ClusterFuzz testcase 5183725324992512 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by sheriffbot@chromium.org
, Nov 25