IDBRequest.result getter passes empty Local to V8 |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6282069514125312 Fuzzer: therealholden_worker Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x00000000 Crash State: v8::internal::UpdateDescriptorForValue v8::internal::Map::PrepareForDataProperty v8::internal::LookupIterator::PrepareForDataProperty Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=319142:319252 Minimized Testcase (3.18 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94Ms4zMiaGxg-3XJKyn464bsr0ZD6TnvohhmvZBqSXxNsVFGI6zdfCtG00OT4bFgm_wBBOhfnxW39DTAUlz5k6dq69r8LNJZkjbic1yboRpP6cneaK20GBT57Gv2c0xfFaXav-Qp7aAZZ_NDBZsp5tpyFl66A Additional requirements: Requires HTTP Filer: jkummerow See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Feb 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5897362850971648 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x000000000000 Crash State: v8::internal::Map::TransitionToDataProperty v8::internal::LookupIterator::PrepareTransitionToDataProperty v8::internal::Object::AddDataProperty Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=376718:376742 Minimized Testcase (20.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94aSHcIBrT-3cmx5E1X2YQNP1V3Ik4VsGTGqQ50aT70AB3uc2WmLTnGLZOFfyVYsZJKpQ7nzD5Z-eO_IUnkVZE6_BxD7--60kKJyEnb0o1lkZ8QrhUFPGy2hPWiCXwq5qPzS3ilclItU3yZH_d0tAQ6zhFgw7P7yMFGC6zwCrw9xBvyMrE Filer: jkummerow See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Feb 29 2016
cmumford@ - can you take a look and see if you can minimize? My (rather obvious) guess is there's something funky in the dirty/caching logic.
,
Mar 1 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6282069514125312 Fuzzer: therealholden_worker Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x00000000 Crash State: v8::internal::UpdateDescriptorForValue v8::internal::Map::PrepareForDataProperty v8::internal::LookupIterator::PrepareForDataProperty Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=319142:319252 Minimized Testcase (3.18 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94Ms4zMiaGxg-3XJKyn464bsr0ZD6TnvohhmvZBqSXxNsVFGI6zdfCtG00OT4bFgm_wBBOhfnxW39DTAUlz5k6dq69r8LNJZkjbic1yboRpP6cneaK20GBT57Gv2c0xfFaXav-Qp7aAZZ_NDBZsp5tpyFl66A Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 3 2016
Problem easily reproduces with the minimized on a standard Linux debug build - no asan required. If the test does not detach the iFrame from the Window via:
frameElement.parentNode.removeChild(frameElement);
then the test passes. If it does detach then the next get result:
var matching = reqindex.result;
will fail. That's about all I have so far.
,
Mar 8 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6525938864488448 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x00000000 Crash State: v8::internal::UpdateDescriptorForValue v8::internal::Map::PrepareForDataProperty v8::internal::LookupIterator::PrepareForDataProperty Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=375259:376290 Minimized Testcase (1.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv940dRj5RfthfnTl4QSoWO5fQSgpEz_EIsviwu_OxoIO2DYmpc8_wClPWBSdRUChwo5ywkbCAFeUmTnqLsGRRS4cA2viGRVtH2wYorASk8iG7HhfZ3RODzQv6p8DqD054DmCPmGXrT5J6gLpNDSJVnwQdDlsjQ Additional requirements: Requires HTTP Filer: pucchakayala See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 8 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6525938864488448 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x00000000 Crash State: v8::internal::UpdateDescriptorForValue v8::internal::Map::PrepareForDataProperty v8::internal::LookupIterator::PrepareForDataProperty Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=375259:376290 Minimized Testcase (1.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv940dRj5RfthfnTl4QSoWO5fQSgpEz_EIsviwu_OxoIO2DYmpc8_wClPWBSdRUChwo5ywkbCAFeUmTnqLsGRRS4cA2viGRVtH2wYorASk8iG7HhfZ3RODzQv6p8DqD054DmCPmGXrT5J6gLpNDSJVnwQdDlsjQ Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 8 2016
Fun. Okay, without trying it, I'm guessing that this is happening in IDBRequest::result:
if (m_contextStopped || !executionContext())
return ScriptValue();
... because the source context (frame) of the request is detached. Then in IDBRequestV8Internal::resultAttributeGetter we are running the line noted above:
v8::Local<v8::Value> v8Value(cppValue.v8Value());
V8HiddenValue::setHiddenValue(ScriptState::current(info.GetIsolate()), holder, propertyName, v8Value);
We can probably just guard against this with `if (!v8Value.IsEmpty()) ...`
in bindings/templates/attributes.cpp at the setHiddenValue() call site.
haraken, WDYT?
,
Mar 8 2016
Or can we add the guard into V8HiddenValue::setHiddenValue?
,
Mar 8 2016
SGTM, as long as it's not totally unexpected behavior for V8HiddenValue to silently ignore empties.
,
Mar 9 2016
,
Mar 9 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6374744546344960 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x00000000 Crash State: v8::internal::UpdateDescriptorForValue v8::internal::Map::PrepareForDataProperty v8::internal::LookupIterator::PrepareForDataProperty Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=375259:376290 Minimized Testcase (1.48 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97YbsUNSkuPrwwpXoLIxaE4engDvebA1x2hyjyWrG8E0eH9PM92TpupAMKIeB1Pv7hyXgLYlX39QdVzJYXEIXOVa7Xobh5W8tpHhfs7-kA-4S7ZSOnoKcxlFi28G-NTI_qqoDUkACGtUX_y1Yd2AzSx7o75jQ Additional requirements: Requires HTTP Filer: nyerramilli See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 9 2016
ClusterFuzz has detected this issue as fixed in range 379622:379932. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5897362850971648 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x000000000000 Crash State: v8::internal::Map::TransitionToDataProperty v8::internal::LookupIterator::PrepareTransitionToDataProperty v8::internal::Object::AddDataProperty Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=376718:376742 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=379622:379932 Minimized Testcase (20.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94aSHcIBrT-3cmx5E1X2YQNP1V3Ik4VsGTGqQ50aT70AB3uc2WmLTnGLZOFfyVYsZJKpQ7nzD5Z-eO_IUnkVZE6_BxD7--60kKJyEnb0o1lkZ8QrhUFPGy2hPWiCXwq5qPzS3ilclItU3yZH_d0tAQ6zhFgw7P7yMFGC6zwCrw9xBvyMrE See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 9 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/96ad5a7ab9cea6a586e5df4acef371ef35d6c5ba commit 96ad5a7ab9cea6a586e5df4acef371ef35d6c5ba Author: jsbell <jsbell@chromium.org> Date: Wed Mar 09 04:42:16 2016 V8 Bindings: Don't attempt to set an empty V8HiddenValue After an execution context is stopped, IndexedDB returns an empty ScriptValue() on property access. The bindings code should not attempt to cache this using V8HiddenValue. BUG= 590730 R=haraken@chromium.org Review URL: https://codereview.chromium.org/1780593002 Cr-Commit-Position: refs/heads/master@{#380067} [add] https://crrev.com/96ad5a7ab9cea6a586e5df4acef371ef35d6c5ba/third_party/WebKit/LayoutTests/storage/indexeddb/empty-crash.html [modify] https://crrev.com/96ad5a7ab9cea6a586e5df4acef371ef35d6c5ba/third_party/WebKit/Source/bindings/core/v8/V8HiddenValue.cpp
,
Mar 9 2016
ClusterFuzz has detected this issue as fixed in range 379959:380077. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6374744546344960 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x00000000 Crash State: v8::internal::UpdateDescriptorForValue v8::internal::Map::PrepareForDataProperty v8::internal::LookupIterator::PrepareForDataProperty Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=375259:376290 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=379959:380077 Minimized Testcase (1.48 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97YbsUNSkuPrwwpXoLIxaE4engDvebA1x2hyjyWrG8E0eH9PM92TpupAMKIeB1Pv7hyXgLYlX39QdVzJYXEIXOVa7Xobh5W8tpHhfs7-kA-4S7ZSOnoKcxlFi28G-NTI_qqoDUkACGtUX_y1Yd2AzSx7o75jQ Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 9 2016
,
Apr 8 2016
Issue 601413 has been merged into this issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by jkummerow@chromium.org
, Feb 29 2016Components: Blink>Bindings Blink>Storage>IndexedDB
Labels: -OS-Linux -Cr-Blink-Storage-IndexedDB OS-All
Summary: IDBRequest.result getter passes empty Local to V8 (was: Crash in v8::internal::UpdateDescriptorForValue)
ClusterFuzz's repro works on desktop (Linux x64 Debug) too. I haven't tried to reduce it further. Debug stack trace: (gdb) bt #0 v8::base::OS::Abort () at ../../v8/src/base/platform/platform-posix.cc:229 #1 0x00007f117a9d6ff8 in V8_Fatal (file=0x7f117a9df0f0 <.L.str.926> "../../v8/src/api.h", line=402, format=0x7f117a9de75a <.L.str.9> "Check failed: %s.") at ../../v8/src/base/logging.cc:116 #2 0x00007f1179fa7705 in v8::Utils::OpenHandle (that=0x0, allow_empty_handle=false) at ../../v8/src/api.h:402 #3 0x00007f1179fdac85 in v8::Object::SetPrivate (this=0x7ffc223b7f20, context=..., key=..., value=...) at ../../v8/src/api.cc:3592 #4 0x00007f116f710019 in blink::V8HiddenValue::setHiddenValue (scriptState=0x1ddb077758a0, object=..., key=..., value=...) at ../../third_party/WebKit/Source/bindings/core/v8/V8HiddenValue.cpp:40 #5 0x00007f117267ba51 in blink::IDBRequestV8Internal::resultAttributeGetter (info=...) at gen/blink/bindings/modules/v8/V8IDBRequest.cpp:60 #6 0x00007f117267b2e5 in blink::IDBRequestV8Internal::resultAttributeGetterCallback (info=...) at gen/blink/bindings/modules/v8/V8IDBRequest.cpp:66 #7 0x00007f117a01ac95 in v8::internal::FunctionCallbackArguments::Call (this=0x7ffc223b7f08, f=0x7f117267b2d0 <blink::IDBRequestV8Internal::resultAttributeGetterCallback(v8::FunctionCallbackInfo<v8::Value> const&)>) at ../../v8/src/arguments.cc:33 #8 0x00007f117a084823 in v8::internal::(anonymous namespace)::HandleApiCallHelper<false> (isolate=0x8a5d7cf2020, args=...) at ../../v8/src/builtins.cc:3942 #9 0x00007f117a0840c2 in v8::internal::Builtins::InvokeApiFunction (function=..., receiver=..., argc=0, args=0x0) at ../../v8/src/builtins.cc:4101 #10 0x00007f117a605225 in v8::internal::Object::GetPropertyWithAccessor (it=0x7ffc223b86d0) at ../../v8/src/objects.cc:1103 #11 0x00007f117a603a3b in v8::internal::Object::GetProperty (it=0x7ffc223b86d0) at ../../v8/src/objects.cc:733 #12 0x00007f117a55c4f7 in v8::internal::LoadIC::Load (this=0x7ffc223b8898, object=..., name=...) at ../../v8/src/ic/ic.cc:714 #13 0x00007f117a566440 in v8::internal::__RT_impl_Runtime_LoadIC_Miss (args=..., isolate=0x8a5d7cf2020) at ../../v8/src/ic/ic.cc:2245 #14 0x00007f117a5660fe in v8::internal::Runtime_LoadIC_Miss (args_length=4, args_object=0x7ffc223b8b10, isolate=0x8a5d7cf2020) at ../../v8/src/ic/ic.cc:2226 #15 0x000008d6db90693b in ?? () (gdb) f 5 #5 0x00007f117267ba51 in blink::IDBRequestV8Internal::resultAttributeGetter (info=...) at gen/blink/bindings/modules/v8/V8IDBRequest.cpp:60 60 V8HiddenValue::setHiddenValue(ScriptState::current(info.GetIsolate()), holder, propertyName, v8Value); │55 ExceptionState exceptionState(ExceptionState::GetterContext, "result", "IDBRequest", holder, info.GetIsolate()); │ │56 ScriptValue cppValue(impl->result(exceptionState)); │ │57 if (UNLIKELY(exceptionState.throwIfNeeded())) │ │58 return; │ │59 v8::Local<v8::Value> v8Value(cppValue.v8Value()); │ >│60 V8HiddenValue::setHiddenValue(ScriptState::current(info.GetIsolate()), holder, propertyName, v8Value); (gdb) p cppValue $8 = {m_scriptState = {m_ptr = 0x0}, m_value = {m_ptr = 0x0}} (gdb) p v8Value $13 = {val_ = 0x0} Not sure who to route this to (Kentaro, can you help?), but it doesn't seem to be a V8 issue.