Null-dereference READ in v8::internal::CanonicalHandleScope::Lookup |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6608503445389312 Fuzzer: ochang_js_fuzzer Job Type: linux_ubsan_vptr_d8 Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::CanonicalHandleScope::Lookup GetHandle HandleBase Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=57134:57135 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6608503445389312 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 7
ClusterFuzz testcase 6608503445389312 appears to be flaky, updating reproducibility label.
,
Dec 7
Fixed by https://crrev.com/c/1367684.
,
Dec 7
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/62d3ea840c84c8cbd718bd74627d642e2f9c1cc2 commit 62d3ea840c84c8cbd718bd74627d642e2f9c1cc2 Author: Clemens Hammacher <clemensh@chromium.org> Date: Fri Dec 07 17:31:17 2018 [wasm] Avoid accidentally creating two foreground tasks If we create a second foreground task, only the second one will be registered with the AsyncCompileJob, so the first one will not be cancelled, which can lead to use-after-free of the AsyncCompileJob. In a debug build, a DCHECK will fail when creating the second foreground task. R=ahaas@chromium.org Bug: chromium:907937, chromium:910920 Change-Id: Iefefc4a85e7b35b32051cfe8cd5cbbfc4e95b843 Reviewed-on: https://chromium-review.googlesource.com/c/1367684 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#58108} [modify] https://crrev.com/62d3ea840c84c8cbd718bd74627d642e2f9c1cc2/src/wasm/module-compiler.cc [modify] https://crrev.com/62d3ea840c84c8cbd718bd74627d642e2f9c1cc2/src/wasm/module-compiler.h
,
Dec 10
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e95a1424e88ec63e5e13a63818efe50d60fbe74e commit e95a1424e88ec63e5e13a63818efe50d60fbe74e Author: Clemens Hammacher <clemensh@chromium.org> Date: Mon Dec 10 15:26:17 2018 Merged: [wasm] Avoid accidentally creating two foreground tasks If we create a second foreground task, only the second one will be registered with the AsyncCompileJob, so the first one will not be cancelled, which can lead to use-after-free of the AsyncCompileJob. In a debug build, a DCHECK will fail when creating the second foreground task. R=ahaas@chromium.org Bug: chromium:907937, chromium:910920 Change-Id: I1a32b544d7ac8ae4a71c17b1051ce03034895ce8 Originally-reviewed-on: https://chromium-review.googlesource.com/c/1367684 No-Try: true No-Presubmit: true No-Treechecks: true Reviewed-on: https://chromium-review.googlesource.com/c/1369953 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/branch-heads/7.2@{#15} Cr-Branched-From: 6acd03c9b8a8232aee95f25fbf6ae822aaedae75-refs/heads/7.2.502@{#1} Cr-Branched-From: b03041de094610ef24e0e4fb6bf4c700fa1553ed-refs/heads/master@{#57910} [modify] https://crrev.com/e95a1424e88ec63e5e13a63818efe50d60fbe74e/src/wasm/module-compiler.cc [modify] https://crrev.com/e95a1424e88ec63e5e13a63818efe50d60fbe74e/src/wasm/module-compiler.h |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Dec 2Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)