New issue
Advanced search Search tips

Issue 352982 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

CHECK failure in CHECK(object->map()->IsMap()) failed: ../src/heap-inl.h(818)

Project Member Reported by ClusterFuzz, Mar 16 2014

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4782576220766208

Fuzzer: Mbarbella_js_mutation
Job Type: Linux_v8_d8_be

Crash Type: CHECK failure
Crash Address: 
Crash State:
  - crash stack -
  CHECK(object->map()->IsMap()) failed: ../src/heap-inl.h(818)
  

Minimized Testcase (7.28 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95aGnYKBJ5JTrWxG80LL9qd10Why9aQ6LaYc-6_bcVOaxZILtl3iSJF_o5MqwOSfId09RkR4i2k2_2NjpVz58I3qennqh9zcLACef5qtHwszWI1noANTQ2lYCUyYmWPbBUX3xDcG5TzRR8ly67HuVODb0F0Ow
 

Comment 1 by danno@chromium.org, Mar 16 2014

Cc: yangguo@chromium.org
Owner: u...@chromium.org
Status: Assigned

Comment 2 by u...@chromium.org, Mar 17 2014

Cc: bmeu...@chromium.org danno@chromium.org
Labels: Restrict-View-SecurityTeam
I attached a reduced test case.

The problem is that js_array parameter of BuildTransitionElementsKind is always true for TransitionElementsKindStub:
https://code.google.com/p/v8/codesearch#v8/trunk/src/code-stubs-hydrogen.cc&l=648

This leads to loading garbage as an array length from non-JSArray objects such as JsRegExp:
https://code.google.com/p/v8/codesearch#v8/trunk/src/hydrogen.cc&l=1412

This leads to out-of-bound writes in BuildGrowElementsCapacity.
transition-elements-regexp.js
369 bytes View Download
Labels: -Restrict-View-EditIssue -Type-Bug Type-Bug-Security Security_Severity-High
Thanks for taking a look at this. For security bugs, please change the type to Type-Bug-Security so that we can track them properly.
Labels: Security_Impact-Beta Security_Impact-Stable
This seems to affect stable and beta.
 Issue 353692  has been merged into this issue.

Comment 6 by rsesek@chromium.org, Mar 19 2014

Labels: M-33 Cr-Blink-JavaScript
Labels: Merge-Requested
Status: Fixed
Seems to be fixed in r20033.

Ulan, can you confirm and keep an eye on this for back merges?

Comment 8 by u...@chromium.org, Mar 20 2014

Yes, it was fixed in 20033, will merge after we get canary coverage.
Project Member

Comment 9 by ClusterFuzz, Mar 20 2014

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 10 by ClusterFuzz, Mar 24 2014

ClusterFuzz has detected this issue as fixed in latest custom build.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4782576220766208

Fuzzer: Mbarbella_js_mutation
Job Type: Linux_v8_d8_be

Crash Type: CHECK failure
Crash Address: 
Crash State:
  - crash stack -
  CHECK(object->map()->IsMap()) failed: ../src/heap-inl.h(818)
  

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95aGnYKBJ5JTrWxG80LL9qd10Why9aQ6LaYc-6_bcVOaxZILtl3iSJF_o5MqwOSfId09RkR4i2k2_2NjpVz58I3qennqh9zcLACef5qtHwszWI1noANTQ2lYCUyYmWPbBUX3xDcG5TzRR8ly67HuVODb0F0Ow

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member

Comment 11 by ClusterFuzz, Mar 31 2014

Labels: -M-33 M-34

Comment 12 by dxie@google.com, Apr 1 2014

Has this been merged v8 team?

Comment 13 by dxie@google.com, Apr 1 2014

Labels: -Merge-Requested Merge-Approved

Comment 14 by u...@chromium.org, Apr 1 2014

This was merged last week to M34 and M33:
- Version 3.24.35.20 (branches/3.24): https://code.google.com/p/v8/source/detail?r=20269
- Version 3.23.17.29 (branches/3.23): https://code.google.com/p/v8/source/detail?r=20274
Labels: -Merge-Approved Merge-merged-1750 Merge-merged-1847 Release-0-M34
Does this require a merge to M35 as well?

Comment 16 by u...@chromium.org, Apr 2 2014

It is already in M35
Project Member

Comment 17 by ClusterFuzz, Jun 26 2014

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 18 by ClusterFuzz, Feb 2 2016

Labels: -Security_Impact-Beta
Project Member

Comment 19 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Project Member

Comment 22 by sheriffbot@chromium.org, Jul 29

Labels: -Pri-2 Pri-1

Sign in to add a comment