New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 117409 link

Starred by 1 user

Issue metadata

Status: Fixed
Closed: Dec 2012
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment

Chrome: Crash Report - Stack Signature: v8::internal::MarkCompactCollector::RecordS...

Project Member Reported by, Mar 8 2012

Issue description

Product: Chrome
Stack Signature: v8::internal::MarkCompactCollector::RecordSlot(v8::internal::Object * *,v8::internal::Object * *,v8:...
New Signature Label: v8::internal::MarkCompactCollector::RecordSlot(v8::internal::Object * *,v8::internal::Object * *,v8:...
New Signature Hash: 19efc6a2_29ec3bce_7e2513a0_3ddcaeb1_86c1cef8

Report link: http://go/crash/reportdetail?reportid=ee8aaf84d1a81fb2

Meta information:
Product Name: Chrome
Product Version: 19.0.1061.1
Report ID: ee8aaf84d1a81fb2
Report Time: 2012/03/08 15:36:58, Thu
Uptime: 223 sec
Cumulative Uptime: 0 sec
OS Name: Windows NT
OS Version: 6.1.7601 Service Pack 1
CPU Architecture: x86
CPU Info: GenuineIntel family 6 model 42 stepping 7

I got these crashes on Windows:
http://crash/reportdetail?reportid=ee8aaf84d1a81e17 <- slightly different stack
I also got one on Linux64 "19.0.1055.1 (Official Build 123982) dev" but didn't have crash reporting on.

while visiting this page:
(one of the reports lists flickr as the current URL, but I had the nokia page open in another tab and I think it shared a process.

The crash happens randomly while on the page. Sometimes it happens soon after load, sometimes it happens after a many minutes (the first time it happened I almost read the whole article).

Comment 1 by, Mar 9 2012

Status: Assigned
I can repro this
Here comes the reduction

function KeyedStoreIC(a) { a[0] = Math.E; }

// literal with a fast double elements backing store
var literal = [1.2];

// specialize the IC for fast double elements

// truncate js array to 0 elements:
//   backing store will be replaces with empty fixed array
literal.length = 0;

// ArrayPush built-in will replace empty fixed array backing
// store with 19 elements fixed array backing store.
// Leading to a mismatch between the map and the backing store.
// Debug mode will crash here in set_elements accessor. 
literal.push(Math.E, Math.E);

// Corrupt the backing store!

// Release mode will crash here when trying to visit parts of E as pointers.

Reassigning to Danno for triage.

Comment 5 by, May 9 2012

I think you mean "take over" rather than "triage". This one's mine.

Comment 6 by, May 16 2012

Labels: -Type-Bug Type-Security Restrict-View-SecurityTeam
Labels: OS-All Mstone-19 SecImpacts-Stable SecImpacts-Beta SecSeverity-High

Comment 8 by, May 21 2012

Fix has been committed to trunk/Canary and merged back to 3.10 ( and 3.9 ( 
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Labels: -Merge-Approved Merge-Merged
Labels: CVE-2011-3103
I'm merging the patch into chromium-android m18. Where can I find the commit to fix this bug?

Comment 13 by, Jul 20 2012

This patch isn't relevant to 3.8, only 3.9 and later. I merged the regression test back to make sure it passes on 3.8 without other modifications, and it does.
Status: Fixed
Project Member

Comment 16 by, Mar 10 2013

Labels: -Type-Security -Area-WebKit -WebKit-JavaScript -Mstone-19 -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-High Cr-Content Cr-Content-JavaScript Security-Impact-Stable Security-Impact-Beta M-19 Security-Severity-High Type-Bug-Security
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 18 by, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 19 by, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 20 by, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 21 by, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 22 by, Apr 6 2013

Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript
Project Member

Comment 23 by, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 24 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 25 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment