New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Last visit > 30 days ago
Closed: May 2012
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment

Issue 128018: [LangFuzz] Crash in v8::internal::ShortCircuitConsString with invalid read

Reported by, May 14 2012

Issue description

The JavaScript code below crashes d8 shell (tested on branch 3.10 revision 11522, which is in the latest Chromium dev 20.0.1132.3) on heap with an invalid write to a strange address. 

I was not able to get a trace in Chromium itself because my test uses gc() and I don't have a debug build available that allows using --expose-gc (does Google provide Linux debug builds for download?)

Chrome Version: 20.0.1132.3 dev (only tested through shell rev 11522)
Operating System: Ubuntu 12.04 64 bit

function KeyedStoreIC(a) { a[(1)] = Math.E; }
var literal = [1.2];
literal.length = 0;
literal.push('0' && 0 );

Type of crash: tab
Crash State:

Valgrind trace in d8:

==19952== Invalid read of size 8
==19952==    at 0x52E7BC: v8::internal::ShortCircuitConsString(v8::internal::Object**) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x5378A0: v8::internal::FlexibleBodyVisitor<v8::internal::StaticMarkingVisitor, v8::internal::FixedArray::BodyDescriptor, void>::Visit(v8::internal::Map*, v8::internal::HeapObject*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x53AD80: v8::internal::MarkCompactCollector::EmptyMarkingDeque() (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x4FD6E5: v8::internal::Isolate::Iterate(v8::internal::ObjectVisitor*, v8::internal::ThreadLocalTop*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x4A7388: v8::internal::Heap::IterateStrongRoots(v8::internal::ObjectVisitor*, v8::internal::VisitMode) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x53BA3F: v8::internal::MarkCompactCollector::MarkLiveObjects() (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x5404B8: v8::internal::MarkCompactCollector::CollectGarbage() (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x4ABE07: v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::internal::GCTracer*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x4AC623: v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollector, char const*, char const*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x4ACE6A: v8::internal::Heap::CollectAllGarbage(int, char const*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x46CC4E: v8::internal::GCExtension::GC(v8::Arguments const&) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==    by 0x43D1F7: v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) (in /scratch/holler/LangFuzz/v8-trunk/d8)
==19952==  Address 0x4005bf0a8b145768 is not stack'd, malloc'd or (recently) free'd

Comment 1 by, May 14 2012

Status: Assigned
Danno, can you please take a look.

Christian, you can download asanified chromium debug builds from

Comment 2 by, May 14 2012


Comment 3 by, May 15 2012

I am virtually positive that this is the same as chromium:117409, which was fixed on May 9th on V8 trunk but just rolled into Chromium today. I'll double check. It is also in Chrome 20 and Chrome 19, but not Chrome 18. I'm waiting for the merge until we verify that the fix is stable in Canary.

Comment 4 by, May 15 2012

I'm always testing on v8-trunk, not on the branches, and it reproduced for me on trunk when I reported it here.

Comment 5 by, May 15 2012

Looks like there's still a problem, this seems to be a new variant on the theme of 117409. Investigating.

Comment 6 by, May 15 2012

It is similar but a slightly different case than 117409. Patch in progress, it will need to be marged back to 18 and 19. This bug allows you to reliably write the first element of a JSArray with any value that you can represent in the lower 32 bits of a IEEE double precision floating point number and later interpret as a tagged value, including as a object pointer.

Comment 7 by, May 15 2012


Comment 8 by, May 15 2012

Labels: SecSeverity-High SecImpacts-Stable SecImpacts-Beta reward-topanel

Comment 9 by, May 16 2012

Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals WebKit-JavaScript OS-All Mstone-19

Comment 10 by, May 16 2012

Danno, isnt 117409 a security bug too, we need the tracking flags.

Comment 11 by, May 16 2012

Yes, sorry, 117409 is also a security bug, I thought it was already marked so. I've changed it to restrict viewing to the security team and be typed as a Security bug. Chris, can you please work your magic on the other security labels.

Comment 12 by, May 21 2012

Fix has been committed to trunk/Canary and merged back to 3.10 ( and 3.9 (

Comment 13 by, May 21 2012

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased

Comment 14 by, May 21 2012

Labels: -Merge-Approved Merge-Merged

Comment 15 by, May 23 2012

Labels: -reward-topanel reward-1000 reward-unpaid
Nice find decoder. $1000

Comment 16 by, May 23 2012

Labels: CVE-2011-3115

Comment 17 by, May 24 2012

Status: Fixed
Fixed with the release of 19.0.1084.52

Comment 18 by, Jul 9 2012

Labels: -reward-unpaid

Comment 19 by, Sep 24 2012


Comment 20 by, Mar 10 2013

Project Member
Labels: -Type-Security -Area-Internals -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -WebKit-JavaScript -Mstone-19 M-19 Cr-Content-JavaScript Security-Impact-Stable Security-Impact-Beta Cr-Internals Security-Severity-High Type-Bug-Security

Comment 21 by, Mar 21 2013

Labels: -Restrict-View-SecurityNotify

Comment 22 by, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 23 by, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 24 by, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 25 by, Apr 6 2013

Project Member
Labels: Cr-Blink

Comment 26 by, Apr 6 2013

Project Member
Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript

Comment 27 by, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 28 by, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 29 by, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 30 by, Oct 2 2016

Labels: allpublic

Comment 31 by, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment