New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

CHECK failure in CHECK(object->map()->IsMap()) failed: ../src/heap-inl.h(833)

Project Member Reported by ClusterFuzz, Mar 10 2014

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5780358435962880

Fuzzer: Mbarbella_js_mutation
Job Type: Linux_v8_d8_stress_deopt_compact

Crash Type: CHECK failure
Crash Address: 
Crash State:
  - crash stack -
  CHECK(object->map()->IsMap()) failed: ../src/heap-inl.h(817)
  

Minimized Testcase (6.99 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97xo-JSJGmNWcyI49PzIY8rZI5cf8azZbRN9PZBsE3xq6jDd2vJzqdJgEQ8M7KCE8WeeT2olruhkuhdByMx6zlRCdMwDUfdaXcq36WK62kC4rzRmJT1hxtRW99jaJJt4GPguoxP5tueifH3ysZ4_k_NLoGQjA
 

Comment 1 by danno@chromium.org, Mar 10 2014

Cc: danno@chromium.org dslomov@chromium.org
Owner: hpayer@chromium.org
Status: Assigned

Comment 2 by hpayer@chromium.org, Mar 12 2014

Manually minified testcase

var __v_6 = /abc/;
var __v_7 = new Int32Array(1024);
var __v_8 =  new Int32Array(128);

function __f_8(__v_7, base, condition) {
  __v_7 = __v_6;
  __v_7[base + 3] = 3;
  __v_7[base + 2] = 4;
  __v_7[base + 4] = 4;
  if (condition) {
    __v_7[base + 1] = 1;
    __v_7[base + 7] = 2;
  } else {
    __v_7[base + 6] = 1;
    __v_7[base + 18] = 3;
  }
}

__f_8(__v_7, 1, true);
__f_8(__v_7, 1, false);
gc();
%OptimizeFunctionOnNextCall(__f_8);
__f_8(__v_8, 5, false);

Comment 3 by hpayer@chromium.org, Mar 12 2014

Bisected it back to r12715 "Reland r12342: Flush monomorphic ICs on context disposal instead of context exit."

Comment 4 by hpayer@chromium.org, Mar 12 2014

Cc: u...@chromium.org

Comment 5 by u...@chromium.org, Mar 12 2014

It is a bug in bounds check elimination, we do not emit bounds check for __v_7[base + 18] = 3;

The test does not crash with --noarray_bounds_checks_elimination

Comment 6 by u...@chromium.org, Mar 12 2014

Cc: -u...@chromium.org hpayer@chromium.org
Labels: Restrict-View-SecurityTeam
Owner: u...@chromium.org
Project Member

Comment 7 by ClusterFuzz, Mar 14 2014

ClusterFuzz has detected this issue as fixed in latest custom build.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5780358435962880

Fuzzer: Mbarbella_js_mutation
Job Type: Linux_v8_d8_stress_deopt_compact

Crash Type: CHECK failure
Crash Address: 
Crash State:
  - crash stack -
  CHECK(object->map()->IsMap()) failed: ../src/heap-inl.h(817)
  

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97xo-JSJGmNWcyI49PzIY8rZI5cf8azZbRN9PZBsE3xq6jDd2vJzqdJgEQ8M7KCE8WeeT2olruhkuhdByMx6zlRCdMwDUfdaXcq36WK62kC4rzRmJT1hxtRW99jaJJt4GPguoxP5tueifH3ysZ4_k_NLoGQjA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 8 by hpayer@chromium.org, Mar 14 2014

Cc: bmeu...@chromium.org
Minified repro:

var a = {};
function f(x, condition) {
  a[x + 2] = 4;
  a[x + 4] = 5;
  if (condition) {
    a[x + 0] = 1;
    a[x + 6] = -11;
  } else {
    a[x + 0] = 1;
    a[x + 16] = -4;
  }
}
f(1, true);
f(1, false);
gc();
%OptimizeFunctionOnNextCall(f);
f(6, false);
gc();

Run with: --expose-gc --allow-natives-syntax --verify-heap
Note that this bug is still present in bleeding_edge, even tho ClusterFuzz detected this issue as fixed.

Comment 11 by u...@chromium.org, Mar 14 2014

Uploaded a fix: https://codereview.chromium.org/197823009/

Comment 12 by u...@chromium.org, Mar 14 2014

Status: Fixed
Fixed in r19923
Project Member

Comment 13 by ClusterFuzz, Mar 19 2014

Summary: CHECK failure in CHECK(object->map()->IsMap()) failed: ../src/heap-inl.h(833) (was: CHECK failure in CHECK(object->map()->IsMap()) failed: ../src/heap-inl.h(817))
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6229681061756928

Fuzzer: Mbarbella_js_mutation
Job Type: Linux_v8_d8_be

Crash Type: CHECK failure
Crash Address: 
Crash State:
  - crash stack -
  CHECK(object->map()->IsMap()) failed: ../src/heap-inl.h(833)
  

Minimized Testcase (1.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94LL6_ZTAR6uiaSvh0S4WirE0CpGn2CwzPOvyepcslxtQTo491qliYF--Jj0uALrixZoUSWP1F-ECAgV1kuZe_wNGR5cPvetBvkoO-bfElUy4kCuDLLpNmFr-3N4AnFp7dUPBguH2r9PV-jIYEhiPlVGIr55A


Comment 14 by danno@chromium.org, Mar 19 2014

Status: Assigned
This is still happening in 20025 (see the CF report from #13)

Comment 15 by u...@chromium.org, Mar 19 2014

Status: Fixed
It is using a regression test that I checking in https://code.google.com/p/v8/source/detail?r=20033:
%SetFlags("--gc-interval=389 --deopt-every-n-times=51");
// /v8/test/mjsunit/regress/regress-352982.js

I checked that it crashes before 20033 and doesn't crash in 20033
Labels: -Type-Bug Type-Bug-Security Security_Severity-High Security_Impact-Stable Security_Impact-Beta
Setting impact labels based on comment #3.
Project Member

Comment 17 by ClusterFuzz, Mar 20 2014

Labels: -Restrict-View-SecurityTeam M-33 Merge-Triage Restrict-View-SecurityNotify M-34
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -M-33 -Merge-Triage Merge-Requested

Comment 19 by dxie@google.com, Mar 26 2014

Labels: -Merge-Requested Merge-Approved
ulan@ - can you please merge this to M34?

Comment 21 by u...@chromium.org, Apr 1 2014

Merged in V8 branches corresponding to M34 and M33:

- Version 3.24.35.22 (branches/3.24):
https://code.google.com/p/v8/source/detail?r=20378

- Version 3.23.17.31 (branches/3.23): 
https://code.google.com/p/v8/source/detail?r=20380
Labels: -Merge-Approved Merge-merged-1750 Merge-merged-1847 Release-0-M34
Thanks ulan@ - do you need to also merge this to M35 or was it before the branch point?

Comment 23 by u...@chromium.org, Apr 2 2014

It is already in M35.
Project Member

Comment 24 by ClusterFuzz, Jun 25 2014

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 25 by ClusterFuzz, Feb 2 2016

Labels: -Security_Impact-Beta
Project Member

Comment 26 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 27 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Project Member

Comment 29 by sheriffbot@chromium.org, Jul 29

Labels: -Pri-2 Pri-1

Sign in to add a comment