New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Closed: Apr 2014
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment

UNKNOWN in v8::internal::HeapObject::map_word

Project Member Reported by ClusterFuzz, Mar 31 2014

Issue description

Detailed report:

Fuzzer: Mbarbella_js_mutation
Job Type: Linux_asan_d8

Crash Type: UNKNOWN
Crash Address: 0x00009fff8000
Crash State:
  - crash stack -

Minimized Testcase (5.13 Kb):
Does anyone know who a good owner for this might be?

Minimized repro:

var __v_7 = {};
function __f_1() { return 1; };
function __f_7(__v_7,y) { return (__v_7.x++) + y; }
for (var __v_6 = 0; __v_6 < 5; ++__v_6) {
  __v_7.__defineGetter__('x', function() { gc(); return __f_1(__v_7); });
  __f_7(__v_7, 1);
  __f_7(__v_7, 1);
  __f_7(__v_7, 1);
Project Member

Comment 2 by ClusterFuzz, Mar 31 2014

Labels: Pri-1 M-34
Project Member

Comment 3 by ClusterFuzz, Mar 31 2014

Labels: ReleaseBlock-Stable

Comment 4 by, Mar 31 2014

Status: Assigned
Looks string related, assigning to Yang. I could only repro on x64, here's the crashing stack trace:

#0  ShortCircuitConsString (p=0x7fffffffd1b8) at ../src/
#1  v8::internal::RootMarkingVisitor::MarkObjectByPointer (this=0x7fffffffc2b0, p=0x7fffffffd1b8) at ../src/
#2  0x000000000086ddcd in MarkObjectByPointer (p=0x7fffffffd1b8, this=<optimized out>) at ../src/
#3  v8::internal::RootMarkingVisitor::VisitPointers (this=0x7fffffffc2b0, start=<optimized out>, end=0x7fffffffd1d0) at ../src/
#4  0x00000000007209a3 in v8::internal::JavaScriptFrame::Iterate (this=0x7fffffffbfd0, v=0x7fffffffc2b0) at ../src/
#5  0x000000000081aa81 in v8::internal::Isolate::Iterate (this=0x1b60030, v=0x7fffffffc2b0, thread=0x1b63438) at ../src/
#6  0x000000000076f5f9 in v8::internal::Heap::IterateStrongRoots (this=0x1b60050, v=0x7fffffffc2b0, mode=v8::internal::VISIT_ONLY_STRONG) at ../src/
#7  0x000000000086e2cc in v8::internal::MarkCompactCollector::MarkRoots (this=0x1b62e78, visitor=0x7fffffffc2b0) at ../src/
#8  0x0000000000875251 in v8::internal::MarkCompactCollector::MarkLiveObjects (this=0x1b62e78) at ../src/
#9  0x0000000000879247 in v8::internal::MarkCompactCollector::CollectGarbage (this=0x1b62e78) at ../src/
#10 0x0000000000762265 in v8::internal::Heap::MarkCompact (this=0x1b60050, tracer=0x7fffffffc510) at ../src/
#11 0x000000000077d713 in v8::internal::Heap::PerformGarbageCollection (this=0x1b60050, collector=v8::internal::MARK_COMPACTOR, tracer=0x7fffffffc510, gc_callback_flags=v8::kGCCallbackFlagForced) at ../src/
#12 0x000000000077e08a in v8::internal::Heap::CollectGarbage (this=0x1b60050, collector=v8::internal::MARK_COMPACTOR, gc_reason=0xcca530 "Isolate::RequestGarbageCollection", collector_reason=<optimized out>, gc_callback_flags=v8::kGCCallbackFlagForced)
    at ../src/
#13 0x000000000077e539 in CollectGarbage (callbackFlags=v8::kGCCallbackFlagForced, gc_reason=0xcca530 "Isolate::RequestGarbageCollection", space=v8::internal::OLD_POINTER_SPACE, this=0x1b60050) at ../src/heap-inl.h:559
#14 v8::internal::Heap::CollectAllGarbage (this=<optimized out>, flags=<optimized out>, gc_reason=0xcca530 "Isolate::RequestGarbageCollection", gc_callback_flags=<optimized out>) at ../src/
#15 0x000000000062ca2c in v8::Isolate::RequestGarbageCollectionForTesting (this=0x1b60030, type=v8::Isolate::kFullGarbageCollection) at ../src/
#16 0x0000000000af3b05 in v8::internal::FunctionCallbackArguments::Call (this=0x7fffffffc780, f=0x6f4190 <v8::internal::GCExtension::GC(v8::FunctionCallbackInfo<v8::Value> const&)>) at ../src/
#17 0x000000000067402f in HandleApiCallHelper<false> (isolate=0x1b60030, args=...) at ../src/
#18 Builtin_Impl_HandleApiCall (isolate=0x1b60030, args=...) at ../src/
#19 v8::internal::Builtin_HandleApiCall (args_length=2, args_object=0x7fffffffc8a0, isolate=0x1b60030) at ../src/

Project Member

Comment 5 by ClusterFuzz, Mar 31 2014

Labels: Security_Impact-Stable
Even shorter repro:

var o = {};
function f(a, b) { return b + (a.x++); }
o.__defineGetter__('x', function() { gc(); return 1; });
assertEquals(2, f(o, 1));
assertEquals(2, f(o, 1));
assertEquals(2, f(o, 1));

Crashing in GC is just a result of wrong optimized code. This only happens on x64.
r19684 briefly fixed this issue, but got reverted in r19709
Bisected to r17863 "Constant-folding through HForceRepresentation fix."
Alternative repro. No GC required.

var o = {};
function f(a, b) { return b + (a.x++); }
o.__defineGetter__('x', function() { return 1; });
assertEquals(3, f(o, 2));
assertEquals(3, f(o, 2));
assertEquals(3, f(o, 2));
The increment a.x++ gets compiled to

                  ;;; <@32,#33> check-smi
0x3594b9e60982    98  a801           test al,0x1             ;; debug: position 40
0x3594b9e60984   100  0f851b000000   jnz 133  (0x3594b9e609a5)
                  ;;; <@34,#28> add-i
0x3594b9e6098a   106  4883c001       REX.W addq rax,0x1
0x3594b9e6098e   110  0f8016000000   jo 138  (0x3594b9e609aa)

We are adding an untagged constant 1 to the smi-tagged value in rax.
Labels: Arch-x86_64
Labels: Merge-Requested
Fixed in r20409. Merges needed to M34 and M35

Comment 14 by, Apr 1 2014

Labels: -Merge-Requested Merge-Approved
pinged yangguo@ on chat to merge.
Status: Fixed
Danno@, can you please help to merge this asap. We have to cut a build soon.
Project Member

Comment 17 by ClusterFuzz, Apr 1 2014

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Merge-Triage
Talked to Danno@, we are waiting for canary coverage and will merge it later and be taken up in M34 patch1
Labels: -Merge-Approved -Merge-Triage Merge-Merged
Merged to M34 (V8 r20504).	
Labels: Release-0-M34
Project Member

Comment 22 by ClusterFuzz, Jul 8 2014

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 23 by ClusterFuzz, Feb 2 2016

Labels: -Security_Impact-Beta
Project Member

Comment 24 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 25 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment