Issue metadata
Sign in to add a comment
|
Issue 118642: Heap-use-after-free in v8::internal::JSObject::GetElementWithInterceptor
Reported by
ax3...@gmail.com,
Mar 16 2012
|
||||||||||||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Usea-after-free in JavaScript engine. VERSION Version 19.0.1068.0 (126348), Developer Build on Ubuntu 10.10 REPRODUCTION CASE Unfortunately can't provide testcase currently - this is one of those rare cases, when reproduction does not works. Decided to provide at least stack trace, probably it can be useful. This bug appears quite frequently, so, probably later I will get finally the testcase. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION ==5320== ERROR: AddressSanitizer heap-use-after-free on address 0x7ffbb6a02888 at pc 0x7ffbdcb07aa9 bp 0x7fff610c4cb0 sp 0x7fff610c4ca8 READ of size 8 at 0x7ffbb6a02888 thread T0 #0 0x7ffbdcb07aa9 in WebCore::toV8(WebCore::CSSStyleSheet*) ???:0 #1 0x7ffbd77a348e in v8::internal::JSObject::GetElementWithInterceptor(v8::internal::Object*, unsigned int) /media/Chromium/chromium/depot_tools/src/v8/src/objects.cc:10097 #2 0x7ffbd78fe004 in v8::internal::Runtime::GetObjectProperty(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>) /media/Chromium/chromium/depot_tools/src/v8/src/runtime.cc:4182 #3 0x7ffbd7be13fc in v8::internal::KeyedLoadIC::Load(v8::internal::InlineCacheState, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, bool) /media/Chromium/chromium/depot_tools/src/v8/src/ic.cc:1195 #4 0x7ffbd7beccd5 in v8::internal::KeyedLoadIC_Miss(v8::internal::Arguments, v8::internal::Isolate*) /media/Chromium/chromium/depot_tools/src/v8/src/ic.cc:1987 #5 0x2ef9fe00614e #6 0x2ef9fe0ca0e0 #7 0x2ef9fe0c6822 #8 0x2ef9fe0e89ed #9 0x2ef9fe06e4b3 #10 0x2ef9fe022647 #11 0x2ef9fe011137 #12 0x7ffbd74e3278 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) /media/Chromium/chromium/depot_tools/src/v8/src/execution.cc:118 #13 0x7ffbd742d586 in v8::Script::Run() /media/Chromium/chromium/depot_tools/src/v8/src/api.cc:1588 #14 0x7ffbd9152a03 in WebCore::V8Proxy::runScript(v8::Handle<v8::Script>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:382 #15 0x7ffbd9151bab in WebCore::V8Proxy::evaluate(WebCore::ScriptSourceCode const&, WebCore::Node*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:353 #16 0x7ffbd997eda7 in ~Scope /media/Chromium/chromium/depot_tools/src/v8/include/v8.h:3577 #17 0x7ffbd97b8c64 in WebCore::InspectorInstrumentation::hasFrontends() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.h:225 #18 0x7ffbd8dc85d8 in WebCore::ThreadTimers::sharedTimerFiredInternal() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:118 #19 0x7ffbd69f1256 in base::Callback<void ()()>::Run() const /media/Chromium/chromium/depot_tools/src/./base/callback.h:272 #20 0x7ffbd69f1ab8 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:470 #21 0x7ffbd69f3498 in MessageLoop::DoDelayedWork(base::TimeTicks*) /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:698 #22 0x7ffbd69fd2ce in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /media/Chromium/chromium/depot_tools/src/base/message_pump_default.cc:33 #23 0x7ffbd69efe1e in MessageLoop::RunInternal() /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:418 #24 0x7ffbd69ee00f in ~AutoRunState /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:745 #25 0x7ffbdbdc9b5c in RendererMain(content::MainFunctionParams const&) /media/Chromium/chromium/depot_tools/src/content/renderer/renderer_main.cc:241 #26 0x7ffbd69464b6 in RunZygote /media/Chromium/chromium/depot_tools/src/content/app/content_main_runner.cc:245 #27 0x7ffbd6944a2a in content::ContentMain(int, char const**, content::ContentMainDelegate*) /media/Chromium/chromium/depot_tools/src/content/app/content_main.cc:35 #28 0x7ffbd53abc97 in ChromeMain /media/Chromium/chromium/depot_tools/src/chrome/app/chrome_main.cc:32 #29 0x7ffbd53abbeb in main /media/Chromium/chromium/depot_tools/src/chrome/app/chrome_exe_main_gtk.cc:18 #30 0x7ffbce7bbd8e in __libc_start_main /build/buildd/eglibc-2.12.1/csu/libc-start.c:258 0x7ffbb6a02888 is located 8 bytes inside of 136-byte region [0x7ffbb6a02880,0x7ffbb6a02908) freed by thread T0 here: #0 0x7ffbdd14b9d2 in operator delete(void*) ??:0 #1 0x7ffbd753eb39 in v8::internal::RuntimeProfiler::IsEnabled() /media/Chromium/chromium/depot_tools/src/v8/src/runtime-profiler.h:50 previously allocated by thread T0 here: #0 0x7ffbdd14b852 in operator new(unsigned long) ??:0 #1 0x7ffbd8b88258 in WebCore::HTMLStyleElement::create(WebCore::QualifiedName const&, WebCore::Document*, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/html/HTMLStyleElement.cpp:70 #2 0x7ffbda6cd5aa in WTF::PassRefPtr<WebCore::HTMLStyleElement>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161 #3 0x7ffbda6c4c63 in WTF::PassRefPtr<WebCore::HTMLElement>::operator WebCore::HTMLElement* WTF::PassRefPtr<WebCore::HTMLElement>::*() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:82 #4 0x7ffbd8acd759 in WTF::PassRefPtr<WebCore::HTMLElement>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161 #5 0x7ffbda57ff00 in WTF::PassRefPtr<WebCore::Element>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161 #6 0x7ffbd7494da3 in HandleApiCallHelper /media/Chromium/chromium/depot_tools/src/v8/src/builtins.cc:1136 #7 0x2ef9fe00614e #8 0x2ef9fe0ca1aa #9 0x2ef9fe0c6822 #10 0x2ef9fe0e89ed #11 0x2ef9fe06e4b3 #12 0x2ef9fe022647 #13 0x2ef9fe011137 #14 0x7ffbd74e3278 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) /media/Chromium/chromium/depot_tools/src/v8/src/execution.cc:118 #15 0x7ffbd742d586 in v8::Script::Run() /media/Chromium/chromium/depot_tools/src/v8/src/api.cc:1588 #16 0x7ffbd9152a03 in WebCore::V8Proxy::runScript(v8::Handle<v8::Script>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:382 #17 0x7ffbd9151bab in WebCore::V8Proxy::evaluate(WebCore::ScriptSourceCode const&, WebCore::Node*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:353 #18 0x7ffbd997eda7 in ~Scope /media/Chromium/chromium/depot_tools/src/v8/include/v8.h:3577 #19 0x7ffbd97b8c64 in WebCore::InspectorInstrumentation::hasFrontends() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.h:225 #20 0x7ffbd8dc85d8 in WebCore::ThreadTimers::sharedTimerFiredInternal() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:118 ==5320== ABORTING Stats: 109M malloced (128M for red zones) by 331569 calls Stats: 19M realloced by 16069 calls Stats: 103M freed by 306260 calls Stats: 0M really freed by 0 calls Stats: 260M (66588 full pages) mmaped in 65 calls mmaps by size class: 8:262128; 9:40955; 10:28665; 11:18423; 12:3072; 13:1024; 14:512; 15:128; 16:64; 17:160; 18:96; 19:32; 20:16; mallocs by size class: 8:248081; 9:37212; 10:25489; 11:16687; 12:2322; 13:911; 14:418; 15:100; 16:64; 17:143; 18:95; 19:32; 20:15; frees by size class: 8:225725; 9:35875; 10:24598; 11:16216; 12:2223; 13:830; 14:382; 15:87; 16:52; 17:135; 18:93; 19:31; 20:13; rfrees by size class: Stats: malloc large: 285 small slow: 1343 Shadow byte and word: 0x1fff76d40511: fd 0x1fff76d40510: fd fd fd fd fd fd fd fd More shadow bytes: 0x1fff76d404f0: fd fd fd fd fd fd fd fd 0x1fff76d404f8: fd fd fd fd fd fd fd fd 0x1fff76d40500: fa fa fa fa fa fa fa fa 0x1fff76d40508: fa fa fa fa fa fa fa fa =>0x1fff76d40510: fd fd fd fd fd fd fd fd 0x1fff76d40518: fd fd fd fd fd fd fd fd 0x1fff76d40520: fd fd fd fd fd fd fd fd 0x1fff76d40528: fd fd fd fd fd fd fd fd 0x1fff76d40530: fa fa fa fa fa fa fa fa Mar 17 2012,
I asked him to file this so the v8 guys could have a look, in case the stack trace gives them a clue. If not we'll close it out. However, since it's not confirmed, please don't assign labels that could be misleading. Mar 19 2012,
This looks like a crash in the bindings, not in V8 itself. Adding the bindings guys. Mar 19 2012,cdn: What makes you think this is related to ownerNode? I'm curious because we rolled back a change that involved ownerNode. See https://bugs.webkit.org/show_bug.cgi?id=80880 for more details Mar 19 2012,arv, Total guess based on a look at the code around where the crash occurs. A bad ownerNode seemed like the only thing in WebCore::toV8() that could cause a read av. I am not at all confident in that analysis though :) Mar 19 2012,Oh also if you look at the stack where it was allocated it is creating a style element. Would the ownerNode for a CssStyleSheet would be a style element? I'll stop guessing now Mar 19 2012,Good news - I am able to reproduce crash now, will try to provide reduced testcase tomorrow. Mar 19 2012,Excellent! Want to post what you have now and we can run it through our minimizer. I promise it won't affect the bounty :) Mar 19 2012,Unfortunately can't do it right now, because testcase is too complicated - requires too much stuff to be done manually and cannot be automated. Actually, it's a part of fuzzing framework and has also bunch of dependencies. Tomorrow I will post minimized version, I'm working on it. Mar 19 2012,No worries. Thanks for continuing to bang on this one. Mar 20 2012,Attaching testcase and here is a new ASan log: ================================================================= ==4607== ERROR: AddressSanitizer heap-use-after-free on address 0x7fc65ad84c88 at pc 0x7fc6786ffaa9 bp 0x7fffd98b71d0 sp 0x7fffd98b71c8 READ of size 8 at 0x7fc65ad84c88 thread T0 #0 0x7fc6786ffaa9 in WebCore::toV8(WebCore::CSSStyleSheet*) ???:0 #1 0x7fc67339b48e in v8::internal::JSObject::GetElementWithInterceptor(v8::internal::Object*, unsigned int) /media/Chromium/chromium/depot_tools/src/v8/src/objects.cc:10097 #2 0x7fc6734f6004 in v8::internal::Runtime::GetObjectProperty(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>) /media/Chromium/chromium/depot_tools/src/v8/src/runtime.cc:4182 #3 0x7fc6737d93fc in v8::internal::KeyedLoadIC::Load(v8::internal::InlineCacheState, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, bool) /media/Chromium/chromium/depot_tools/src/v8/src/ic.cc:1195 #4 0x7fc6737e4cd5 in v8::internal::KeyedLoadIC_Miss(v8::internal::Arguments, v8::internal::Isolate*) /media/Chromium/chromium/depot_tools/src/v8/src/ic.cc:1987 #5 0x226d1c0614e #6 0x226d1c45020 #7 0x226d1c22647 #8 0x226d1c11137 #9 0x7fc6730db278 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) /media/Chromium/chromium/depot_tools/src/v8/src/execution.cc:118 #10 0x7fc673025586 in v8::Script::Run() /media/Chromium/chromium/depot_tools/src/v8/src/api.cc:1588 #11 0x7fc674d4aa03 in WebCore::V8Proxy::runScript(v8::Handle<v8::Script>) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:382 #12 0x7fc674d49bab in WebCore::V8Proxy::evaluate(WebCore::ScriptSourceCode const&, WebCore::Node*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/bindings/v8/V8Proxy.cpp:353 #13 0x7fc675576da7 in ~Scope /media/Chromium/chromium/depot_tools/src/v8/include/v8.h:3577 #14 0x7fc6753b0d68 in WebCore::InspectorInstrumentation::hasFrontends() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.h:225 #15 0x7fc6749c05d8 in WebCore::ThreadTimers::sharedTimerFiredInternal() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:118 #16 0x7fc6725e9256 in base::Callback<void ()()>::Run() const /media/Chromium/chromium/depot_tools/src/./base/callback.h:272 #17 0x7fc6725e9ab8 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:470 #18 0x7fc6725eada9 in MessageLoop::DoWork() /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:660 #19 0x7fc6725f5277 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /media/Chromium/chromium/depot_tools/src/base/message_pump_default.cc:28 #20 0x7fc6725e7e1e in MessageLoop::RunInternal() /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:418 #21 0x7fc6725e600f in ~AutoRunState /media/Chromium/chromium/depot_tools/src/base/message_loop.cc:745 #22 0x7fc6779c1b5c in RendererMain(content::MainFunctionParams const&) /media/Chromium/chromium/depot_tools/src/content/renderer/renderer_main.cc:241 #23 0x7fc67253e4b6 in RunZygote /media/Chromium/chromium/depot_tools/src/content/app/content_main_runner.cc:245 #24 0x7fc67253ca2a in content::ContentMain(int, char const**, content::ContentMainDelegate*) /media/Chromium/chromium/depot_tools/src/content/app/content_main.cc:35 #25 0x7fc670fa3c97 in ChromeMain /media/Chromium/chromium/depot_tools/src/chrome/app/chrome_main.cc:32 #26 0x7fc670fa3beb in main /media/Chromium/chromium/depot_tools/src/chrome/app/chrome_exe_main_gtk.cc:18 #27 0x7fc66a3b3d8e in __libc_start_main /build/buildd/eglibc-2.12.1/csu/libc-start.c:258 0x7fc65ad84c88 is located 8 bytes inside of 144-byte region [0x7fc65ad84c80,0x7fc65ad84d10) freed by thread T0 here: #0 0x7fc678d439d2 in operator delete(void*) ??:0 #1 0x7fc673136b39 in v8::internal::RuntimeProfiler::IsEnabled() /media/Chromium/chromium/depot_tools/src/v8/src/runtime-profiler.h:50 previously allocated by thread T0 here: #0 0x7fc678d43852 in operator new(unsigned long) ??:0 #1 0x7fc676655fe4 in WebCore::SVGStyleElement::create(WebCore::QualifiedName const&, WebCore::Document*, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/svg/SVGStyleElement.cpp:51 #2 0x7fc6763fcf79 in WTF::PassRefPtr<WebCore::SVGStyleElement>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161 #3 0x7fc6763f6728 in WTF::PassRefPtr<WebCore::SVGElement>::operator WebCore::SVGElement* WTF::PassRefPtr<WebCore::SVGElement>::*() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:82 #4 0x7fc6740eb7c8 in WTF::PassRefPtr<WebCore::SVGElement>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161 #5 0x7fc6754cc4fa in WTF::PassRefPtr<WebCore::Element>::leakRef() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:161 #6 0x7fc6742fd3b6 in xmlParseStartTag2 /media/Chromium/chromium/depot_tools/src/third_party/libxml/src/parser.c:9126 #7 0x7fc6743061c9 in xmlParseTryOrFinish /media/Chromium/chromium/depot_tools/src/third_party/libxml/src/parser.c:10847 #8 0x7fc67430395c in xmlParseChunk /media/Chromium/chromium/depot_tools/src/third_party/libxml/src/parser.c:11625 #9 0x7fc6754cac50 in WebCore::DocumentParser::isStopped() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/dom/DocumentParser.h:69 #10 0x7fc6754c4965 in ~RefPtr /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/RefPtr.h:58 #11 0x7fc678358279 in ~Deque /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/Deque.h:370 #12 0x7fc6752a0e9f in WebCore::DocumentLoader::commitData(char const*, unsigned long) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:327 #13 0x7fc67403b618 in WebKit::FrameLoaderClientImpl::committedLoad(WebCore::DocumentLoader*, char const*, int) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebKit/chromium/src/FrameLoaderClientImpl.cpp:1137 #14 0x7fc6752a0abc in WebCore::DocumentLoader::commitLoad(char const*, int) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:313 #15 0x7fc67533622e in WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/ResourceLoader.cpp:292 #16 0x7fc675313450 in WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/loader/MainResourceLoader.cpp:464 #17 0x7fc67533791b in WebCore::InspectorInstrumentation::hasFrontends() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.h:225 #18 0x7fc673af77f2 in ResourceDispatcher::OnReceivedData(IPC::Message const&, int, base::FileDescriptor, int, int) /media/Chromium/chromium/depot_tools/src/content/common/resource_dispatcher.cc:404 #19 0x7fc673af5f45 in ResourceDispatcher::DispatchMessage(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/./content/common/resource_messages.h:155 #20 0x7fc673af4290 in ResourceDispatcher::OnMessageReceived(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/content/common/resource_dispatcher.cc:326 #21 0x7fc6739ee75f in ChildThread::OnMessageReceived(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/content/common/child_thread.cc:172 #22 0x7fc672700e13 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) /media/Chromium/chromium/depot_tools/src/ipc/ipc_channel_proxy.cc:268 ==4607== ABORTING Stats: 48M malloced (35M for red zones) by 74186 calls Stats: 1M realloced by 1905 calls Stats: 45M freed by 58757 calls Stats: 0M really freed by 0 calls Stats: 116M (29716 full pages) mmaped in 29 calls mmaps by size class: 8:65532; 9:16382; 10:8190; 11:2047; 12:1024; 13:1536; 14:256; 15:384; 16:64; 17:64; 18:16; 19:8; 20:8; 22:5; mallocs by size class: 8:57634; 9:8577; 10:4433; 11:1317; 12:378; 13:1335; 14:144; 15:254; 16:44; 17:46; 18:12; 19:2; 20:5; 22:5; frees by size class: 8:43495; 9:7992; 10:4138; 11:1065; 12:290; 13:1313; 14:127; 15:247; 16:37; 17:29; 18:12; 19:2; 20:5; 22:5; rfrees by size class: Stats: malloc large: 70 small slow: 415 Shadow byte and word: 0x1ff8cb5b0991: fd 0x1ff8cb5b0990: fd fd fd fd fd fd fd fd More shadow bytes: 0x1ff8cb5b0970: fd fd fd fd fd fd fd fd 0x1ff8cb5b0978: fd fd fd fd fd fd fd fd 0x1ff8cb5b0980: fa fa fa fa fa fa fa fa 0x1ff8cb5b0988: fa fa fa fa fa fa fa fa =>0x1ff8cb5b0990: fd fd fd fd fd fd fd fd 0x1ff8cb5b0998: fd fd fd fd fd fd fd fd 0x1ff8cb5b09a0: fd fd fd fd fd fd fd fd 0x1ff8cb5b09a8: fd fd fd fd fd fd fd fd 0x1ff8cb5b09b0: fa fa fa fa fa fa fa fa Mar 21 2012,
Unfortunately cluster-fuzz still isn't giving us any information, so your ASAN stack trace is still the most information we have. I can reproduce this fairly easily in debug on Windows, however. It looks like a CSSStyleSheet object has a stale pointer in m_ownerNode. Ax330d's ASAN dump says it is freed by the runtime profiler? arv can you have a peek at this again? Mar 21 2012,
Assigning to arv, since he's been looking at it up to this point and it should really get attention since it's a reproducible crash. If you need any V8 help, please let me know. Apr 8 2012,
This seems to have stalled. It looks like high-severity based on the report. @arv - Are you working on this, and if not, do you know who should be? Apr 9 2012,
I'll look at it again. The test case seems to do a lot of thing that should not matter. I'll see if I can repro this in ASAN and scale back the test further. Apr 9 2012,One more thing. This is not a binding issue. It just a use after free. Apr 9 2012,It seems like the timer is calling on a svg element that has already been freed? Apr 9 2012,My gut feeling is that we are not correctly invalidating the StyleSheetList when we removed the nodes. Apr 9 2012,I managed to reduce this further. It no longer uses a range and it now uses an HTML file (SVGStyleElement has the same removeFromDocument as HTMLStyleElement). Apr 10 2012,
https://bugs.webkit.org/show_bug.cgi?id=83605 Apr 10 2012,
Apr 10 2012, Project Member
https://bugs.webkit.org/show_bug.cgi?id=83605 Apr 10 2012,
Apr 10 2012,
Apr 11 2012,
Apr 11 2012,
http://trac.webkit.org/changeset/113887 Apr 22 2012,
Does anyone happen to know if this affects M18 stable? Or just an M19 regression? Apr 24 2012,
Thanks Ax330d for finally getting a awesome repro to reproduce this bug. It was really helpful to see the root problem. This qualifies for $1000 Chromium Security Reward. Apr 24 2012,
Apr 30 2012,
M19: http://trac.webkit.org/changeset/115611 May 10 2012,
May 14 2012,
May 15 2012,
Updating status to Fixed on security bugs which were fixed when m19 went to stable. Oct 13 2012, Project Member
This issue has been closed for some time. No one will pay attention to new comments. If you are seeing this bug or have new data, please click New Issue to start a new bug. Mar 10 2013, Project Member
Mar 13 2013, Project Member
Mar 14 2013, Project Member
Mar 21 2013,
Mar 21 2013, Project Member
Mar 21 2013, Project Member
Mar 21 2013, Project Member
Apr 1 2013, Project Member
Apr 6 2013, Project Member
Apr 6 2013, Project Member
Jun 14 2016, Project Member
Oct 1 2016, Project MemberThis bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot Oct 2 2016, Project MemberThis bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot Oct 2 2016,
Apr 25 2018,
|
|||||||||||||||||||||||||||||||||||
►
Sign in to add a comment |
Comment 1 by cdn@chromium.org, Mar 16 2012
Status: Available