New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 117409: Chrome: Crash Report - Stack Signature: v8::internal::MarkCompactCollector::RecordS...

Reported by brettw@chromium.org, Mar 8 2012 Project Member

Issue description

Product: Chrome
Stack Signature: v8::internal::MarkCompactCollector::RecordSlot(v8::internal::Object * *,v8::internal::Object * *,v8:...
New Signature Label: v8::internal::MarkCompactCollector::RecordSlot(v8::internal::Object * *,v8::internal::Object * *,v8:...
New Signature Hash: 19efc6a2_29ec3bce_7e2513a0_3ddcaeb1_86c1cef8

Report link: http://go/crash/reportdetail?reportid=ee8aaf84d1a81fb2

Meta information:
Product Name: Chrome
Product Version: 19.0.1061.1
Report ID: ee8aaf84d1a81fb2
Report Time: 2012/03/08 15:36:58, Thu
Uptime: 223 sec
Cumulative Uptime: 0 sec
OS Name: Windows NT
OS Version: 6.1.7601 Service Pack 1
CPU Architecture: x86
CPU Info: GenuineIntel family 6 model 42 stepping 7

I got these crashes on Windows:
http://crash/reportdetail?reportid=ee8aaf84d1a81e17 <- slightly different stack
http://crash/reportdetail?reportid=ea39e1eb7fd94a6e
http://crash/reportdetail?reportid=ee8aaf84d1a81fb2
I also got one on Linux64 "19.0.1055.1 (Official Build 123982) dev" but didn't have crash reporting on.

while visiting this page:
http://conversations.nokia.com/2012/03/07/the-story-behind-the-nokia-808-pureview/
(one of the reports lists flickr as the current URL, but I had the nokia page open in another tab and I think it shared a process.

The crash happens randomly while on the page. Sometimes it happens soon after load, sometimes it happens after a many minutes (the first time it happened I almost read the whole article).
 

Comment 1 by danno@chromium.org, Mar 9 2012

Owner: erikcorry@google.com
Status: Assigned

Comment 2 by erikcorry@google.com, May 8 2012

I can repro this

Comment 3 by vegorov@chromium.org, May 9 2012

Here comes the reduction


function KeyedStoreIC(a) { a[0] = Math.E; }

// literal with a fast double elements backing store
var literal = [1.2];

// specialize the IC for fast double elements
KeyedStoreIC(literal);
KeyedStoreIC(literal);

// truncate js array to 0 elements:
//   backing store will be replaces with empty fixed array
literal.length = 0;

// ArrayPush built-in will replace empty fixed array backing
// store with 19 elements fixed array backing store.
// Leading to a mismatch between the map and the backing store.
// Debug mode will crash here in set_elements accessor. 
literal.push(Math.E, Math.E);

// Corrupt the backing store!
KeyedStoreIC(literal);

// Release mode will crash here when trying to visit parts of E as pointers.
gc();

Comment 4 by vegorov@chromium.org, May 9 2012

Owner: danno@chromium.org
Reassigning to Danno for triage.

Comment 5 by danno@chromium.org, May 9 2012

I think you mean "take over" rather than "triage". This one's mine.

Comment 6 by danno@chromium.org, May 16 2012

Labels: -Type-Bug Type-Security Restrict-View-SecurityTeam

Comment 7 by infe...@chromium.org, May 16 2012

Labels: OS-All Mstone-19 SecImpacts-Stable SecImpacts-Beta SecSeverity-High

Comment 8 by danno@chromium.org, May 21 2012

Fix has been committed to trunk/Canary and merged back to 3.10 (3.10.8.9) and 3.9 (3.9.24.27).

Comment 9 by infe...@chromium.org, May 21 2012

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased

Comment 10 by scarybea...@gmail.com, May 21 2012

Labels: -Merge-Approved Merge-Merged

Comment 11 by scarybea...@gmail.com, May 23 2012

Labels: CVE-2011-3103

Comment 12 by wangxianzhu@chromium.org, Jul 19 2012

I'm merging the patch into chromium-android m18. Where can I find the commit to fix this bug?

Comment 13 by danno@chromium.org, Jul 20 2012

This patch isn't relevant to 3.8, only 3.9 and later. I merged the regression test back to make sure it passes on 3.8 without other modifications, and it does.

Comment 14 by scarybea...@gmail.com, Sep 24 2012

Cc: holi...@gmail.com

Comment 15 by jsc...@chromium.org, Dec 20 2012

Status: Fixed

Comment 16 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -WebKit-JavaScript -Mstone-19 -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-High Cr-Content Cr-Content-JavaScript Security-Impact-Stable Security-Impact-Beta M-19 Security-Severity-High Type-Bug-Security

Comment 17 by scarybea...@gmail.com, Mar 21 2013

Labels: -Restrict-View-SecurityNotify

Comment 18 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 19 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 20 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 21 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 22 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript

Comment 23 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 24 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 25 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 26 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 27 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment