New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 194749 link

Starred by 7 users

Issue metadata

Status: Verified
Closed: Mar 2013
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security

Sign in to add a comment

REGRESSION: Chrome crashed while launching Bejeweled game

Project Member Reported by, Mar 14 2013

Issue description

Chrome Version       : 27.0.1349.0
URLs (if applicable) :
Other browsers tested: NA

What steps will reproduce the problem?
1. Open chrome version 27.0.1349.0 on Win7 and add the game 'Bejeweled' from Chrome Web Store.
2. Launch the game from new tab page.

What is the expected result?

Game should load properly and able to play the game

What happens instead?

Chrome Crashed.

Crash ID : b9f12d46e6eb9f34 , 256e07e66575efeb

Bisect info :

Good build : 27.0.1430.0
Bad build :  27.0.1433.0

You are probably looking for a change made after 186727 (known good), but no later than 186743 (first known bad).


Comment 1 by, Mar 14 2013

Crash reproducible on Linux Ubuntu 12.04 Precise for Chrome 27.0.1439.0. Crash id: 266f77f886617693

Daisy for Chrome 27.0.1439.3: Keeps spinning with Error on Console: Uncaught TypeError: Object 0 has no method 'O'

Mac 10.8.2: works as expected. No crash/spinning.

Comment 2 by, Mar 14 2013

can u please put crash id here so i can have a stack.

Comment 3 by, Mar 14 2013

nm i see it :)

Comment 4 by, Mar 14 2013

Status: Assigned
this is v8 and i see a roll in there.

Comment 5 by, Mar 15 2013


Comment 6 by, Mar 15 2013

It reproduces on linux 64 with TOT:

# Fatal error in v8/src/objects-inl.h, line 3550
# CHECK((ExtractKindFromFlags(flags) != CALL_IC && ExtractKindFromFlags(flags) != KEYED_CALL_IC) || ExtractArgumentsCountFromFlags(flags) >= 0) failed

#0  v8::internal::OS::DebugBreak () at v8/src/
#1  0x0000555557ea2803 in v8::internal::OS::Abort () at v8/src/
#2  0x0000555557ae62be in V8_Fatal (file=0x55555c3a0cc0 "v8/src/objects-inl.h", line=3550, 
    format=0x55555c39f7e8 "CHECK(%s) failed") at v8/src/
#3  0x0000555557ba6e0f in v8::internal::Code::set_flags (this=0x3e437fb51581, flags=-1241250944) at v8/src/objects-inl.h:3548
#4  0x0000555557b918eb in v8::internal::Heap::CreateCode (this=0x7ffff7e69030, desc=..., flags=-1241250944, 
    self_reference=..., immovable=false) at v8/src/
#5  0x0000555557b463b8 in v8::internal::Factory::NewCode (this=0x7ffff7e69020, desc=..., flags=-1241250944, self_ref=..., 
    immovable=false) at v8/src/
#6  0x0000555557da4bba in v8::internal::StubCompiler::GetCodeWithFlags (this=0x7fffffff92c0, flags=-1241250944, 
    name=0x55555c3ee412 "CompileCallInitialize") at v8/src/
#7  0x0000555557da4052 in v8::internal::StubCompiler::CompileCallInitialize (this=0x7fffffff92c0, flags=-1241250944)
    at v8/src/
#8  0x0000555557da1e54 in v8::internal::StubCache::ComputeCallInitialize (this=0x2746ca7b020, argc=23298, 
    mode=v8::internal::RelocInfo::CODE_TARGET, kind=v8::internal::Code::CALL_IC) at v8/src/
#9  0x0000555557da1ec1 in v8::internal::StubCache::ComputeCallInitialize (this=0x2746ca7b020, argc=23298, 
    mode=v8::internal::RelocInfo::CODE_TARGET) at v8/src/
#10 0x0000555557e18859 in v8::internal::FullCodeGenerator::EmitCallWithIC (this=0x7fffffff9a20, expr=0x2746dd95858, name=..., 
    mode=v8::internal::RelocInfo::CODE_TARGET) at v8/src/x64/
#11 0x0000555557e197c9 in v8::internal::FullCodeGenerator::VisitCall (this=0x7fffffff9a20, expr=0x2746dd95858)

Comment 7 by, Mar 15 2013

Bisected to r13850 [Unify grow mode and stub kind].

Comment 8 by, Mar 16 2013

 Issue 196552  has been merged into this issue.

Comment 9 by, Mar 16 2013

Labels: -OS-Windows OS-All
Summary: REGRESSION: Chrome crashed while launching Bejeweled game (was: Chrome crashed while launching Bejeweled game)
Labels: -Type-Bug-Regression Type-Bug-Security
Taking over the issue. Marking as security issue since the argument count is overflowing. I haven't fully verified yet, but this can possibly be used to control the return address.
Labels: Security-Severity-High Security-Impact-None
Status: Fixed
Fixed in v8:13964, will be part of the next roll.
Status: Assigned
27.0.1444.3 is rolled to v8@13971, but the bug is still reproducible on this build.
pavanv: can you provide me steps to reproduce? What version are you running?

I just built 27.0.1446.0 on x64 Precise, which includes V8@13971 (3.17.12), and that loads the page just fine. I can also press play and play from there.
I just built a 32bit version on Linux, which also runs just fine.
Labels: -OS-All OS-Windows
It seems to be a Windows-only problem. Looking into it.
Status: Fixed
Now also fixed on Windows (and verified) in v8:13988.

Comment 18 by, Mar 19 2013

ty :)
Project Member

Comment 19 by, Mar 21 2013

Labels: Security_Severity-None
Project Member

Comment 20 by, Mar 21 2013

Labels: -Security-Impact-None Security_Impact-None
Project Member

Comment 21 by, Mar 21 2013

Labels: -Security-Severity-High -Security_Severity-None Security_Severity-High
Status: Verified
marking this as verified, since the crash is not reproducible on latest dev - 27.0.1448.0 on Widows. 
Project Member

Comment 23 by, Apr 5 2013

Labels: -Cr-Content Cr-Blink

Comment 24 by Deleted ...@, Aug 9 2014

ADRO TEXTILE Konveksi Murah Indonesia – Tlp 081362666444 !
Project Member

Comment 25 by, Jun 22 2016

Labels: -ReleaseBlock-Stable
Project Member

Comment 26 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 27 by, Oct 1 2016

Labels: Restrict-View-SecurityNotify
Project Member

Comment 28 by, Oct 2 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment