New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Last visit > 30 days ago
Closed: Dec 2012
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment

Issue 117409: Chrome: Crash Report - Stack Signature: v8::internal::MarkCompactCollector::RecordS...

Reported by, Mar 8 2012 Project Member

Issue description

Product: Chrome
Stack Signature: v8::internal::MarkCompactCollector::RecordSlot(v8::internal::Object * *,v8::internal::Object * *,v8:...
New Signature Label: v8::internal::MarkCompactCollector::RecordSlot(v8::internal::Object * *,v8::internal::Object * *,v8:...
New Signature Hash: 19efc6a2_29ec3bce_7e2513a0_3ddcaeb1_86c1cef8

Report link: http://go/crash/reportdetail?reportid=ee8aaf84d1a81fb2

Meta information:
Product Name: Chrome
Product Version: 19.0.1061.1
Report ID: ee8aaf84d1a81fb2
Report Time: 2012/03/08 15:36:58, Thu
Uptime: 223 sec
Cumulative Uptime: 0 sec
OS Name: Windows NT
OS Version: 6.1.7601 Service Pack 1
CPU Architecture: x86
CPU Info: GenuineIntel family 6 model 42 stepping 7

I got these crashes on Windows:
http://crash/reportdetail?reportid=ee8aaf84d1a81e17 <- slightly different stack
I also got one on Linux64 "19.0.1055.1 (Official Build 123982) dev" but didn't have crash reporting on.

while visiting this page:
(one of the reports lists flickr as the current URL, but I had the nokia page open in another tab and I think it shared a process.

The crash happens randomly while on the page. Sometimes it happens soon after load, sometimes it happens after a many minutes (the first time it happened I almost read the whole article).

Comment 1 by, Mar 9 2012

Status: Assigned

Comment 2 by, May 8 2012

I can repro this

Comment 3 by, May 9 2012

Here comes the reduction

function KeyedStoreIC(a) { a[0] = Math.E; }

// literal with a fast double elements backing store
var literal = [1.2];

// specialize the IC for fast double elements

// truncate js array to 0 elements:
//   backing store will be replaces with empty fixed array
literal.length = 0;

// ArrayPush built-in will replace empty fixed array backing
// store with 19 elements fixed array backing store.
// Leading to a mismatch between the map and the backing store.
// Debug mode will crash here in set_elements accessor. 
literal.push(Math.E, Math.E);

// Corrupt the backing store!

// Release mode will crash here when trying to visit parts of E as pointers.

Comment 4 by, May 9 2012

Reassigning to Danno for triage.

Comment 5 by, May 9 2012

I think you mean "take over" rather than "triage". This one's mine.

Comment 6 by, May 16 2012

Labels: -Type-Bug Type-Security Restrict-View-SecurityTeam

Comment 7 by, May 16 2012

Labels: OS-All Mstone-19 SecImpacts-Stable SecImpacts-Beta SecSeverity-High

Comment 8 by, May 21 2012

Fix has been committed to trunk/Canary and merged back to 3.10 ( and 3.9 (

Comment 9 by, May 21 2012

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased

Comment 10 by, May 21 2012

Labels: -Merge-Approved Merge-Merged

Comment 11 by, May 23 2012

Labels: CVE-2011-3103

Comment 12 by, Jul 19 2012

I'm merging the patch into chromium-android m18. Where can I find the commit to fix this bug?

Comment 13 by, Jul 20 2012

This patch isn't relevant to 3.8, only 3.9 and later. I merged the regression test back to make sure it passes on 3.8 without other modifications, and it does.

Comment 14 by, Sep 24 2012


Comment 15 by, Dec 20 2012

Status: Fixed

Comment 16 by, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -WebKit-JavaScript -Mstone-19 -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-High Cr-Content Cr-Content-JavaScript Security-Impact-Stable Security-Impact-Beta M-19 Security-Severity-High Type-Bug-Security

Comment 17 by, Mar 21 2013

Labels: -Restrict-View-SecurityNotify

Comment 18 by, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 19 by, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 20 by, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 21 by, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 22 by, Apr 6 2013

Project Member
Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript

Comment 23 by, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 24 by, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 25 by, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 26 by, Oct 2 2016

Labels: allpublic

Comment 27 by, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment