Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Chrome: Crash Report - Stack Signature: v8::internal::MarkCompactCollector::RecordS...
Project Member Reported by brettw@chromium.org, Mar 8 2012 Back to list
Product: Chrome
Stack Signature: v8::internal::MarkCompactCollector::RecordSlot(v8::internal::Object * *,v8::internal::Object * *,v8:...
New Signature Label: v8::internal::MarkCompactCollector::RecordSlot(v8::internal::Object * *,v8::internal::Object * *,v8:...
New Signature Hash: 19efc6a2_29ec3bce_7e2513a0_3ddcaeb1_86c1cef8

Report link: http://go/crash/reportdetail?reportid=ee8aaf84d1a81fb2

Meta information:
Product Name: Chrome
Product Version: 19.0.1061.1
Report ID: ee8aaf84d1a81fb2
Report Time: 2012/03/08 15:36:58, Thu
Uptime: 223 sec
Cumulative Uptime: 0 sec
OS Name: Windows NT
OS Version: 6.1.7601 Service Pack 1
CPU Architecture: x86
CPU Info: GenuineIntel family 6 model 42 stepping 7

I got these crashes on Windows:
http://crash/reportdetail?reportid=ee8aaf84d1a81e17 <- slightly different stack
http://crash/reportdetail?reportid=ea39e1eb7fd94a6e
http://crash/reportdetail?reportid=ee8aaf84d1a81fb2
I also got one on Linux64 "19.0.1055.1 (Official Build 123982) dev" but didn't have crash reporting on.

while visiting this page:
http://conversations.nokia.com/2012/03/07/the-story-behind-the-nokia-808-pureview/
(one of the reports lists flickr as the current URL, but I had the nokia page open in another tab and I think it shared a process.

The crash happens randomly while on the page. Sometimes it happens soon after load, sometimes it happens after a many minutes (the first time it happened I almost read the whole article).
 
Comment 1 by danno@chromium.org, Mar 9 2012
Owner: erikcorry@google.com
Status: Assigned
I can repro this
Here comes the reduction


function KeyedStoreIC(a) { a[0] = Math.E; }

// literal with a fast double elements backing store
var literal = [1.2];

// specialize the IC for fast double elements
KeyedStoreIC(literal);
KeyedStoreIC(literal);

// truncate js array to 0 elements:
//   backing store will be replaces with empty fixed array
literal.length = 0;

// ArrayPush built-in will replace empty fixed array backing
// store with 19 elements fixed array backing store.
// Leading to a mismatch between the map and the backing store.
// Debug mode will crash here in set_elements accessor. 
literal.push(Math.E, Math.E);

// Corrupt the backing store!
KeyedStoreIC(literal);

// Release mode will crash here when trying to visit parts of E as pointers.
gc();

Owner: danno@chromium.org
Reassigning to Danno for triage.
Comment 5 by danno@chromium.org, May 9 2012
I think you mean "take over" rather than "triage". This one's mine.
Comment 6 by danno@chromium.org, May 16 2012
Labels: -Type-Bug Type-Security Restrict-View-SecurityTeam
Labels: OS-All Mstone-19 SecImpacts-Stable SecImpacts-Beta SecSeverity-High
Comment 8 by danno@chromium.org, May 21 2012
Fix has been committed to trunk/Canary and merged back to 3.10 (3.10.8.9) and 3.9 (3.9.24.27). 
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Labels: -Merge-Approved Merge-Merged
Labels: CVE-2011-3103
I'm merging the patch into chromium-android m18. Where can I find the commit to fix this bug?
Comment 13 by danno@chromium.org, Jul 20 2012
This patch isn't relevant to 3.8, only 3.9 and later. I merged the regression test back to make sure it passes on 3.8 without other modifications, and it does.
Cc: holi...@gmail.com
Status: Fixed
Project Member Comment 16 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -WebKit-JavaScript -Mstone-19 -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-High Cr-Content Cr-Content-JavaScript Security-Impact-Stable Security-Impact-Beta M-19 Security-Severity-High Type-Bug-Security
Labels: -Restrict-View-SecurityNotify
Project Member Comment 18 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 19 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 20 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 21 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 22 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript
Project Member Comment 23 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 24 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 25 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment