New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 592340 link

Starred by 0 users
Status: Fixed
Owner:
littledan@chromium.org
Last visit > 30 days ago
Closed: Mar 2016
Cc:
machenb...@chromium.org
littledan@chromium.org
ishell@chromium.org
mstarzinger@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in v8::internal::LookupIterator::UpdateProtector

Project Member Reported by ClusterFuzz, Mar 7 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5765466928185344

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_chrome_v8_d8
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x000000000000
Crash State:
  v8::internal::LookupIterator::UpdateProtector
  v8::internal::Object::SetProperty
  v8::internal::Object::SetElement
  

Minimized Testcase (0.25 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96aPXwzYd1FfPizsCPAsSYMd1Z5q2o4llcigZOxicPYC11It01sU2JRlyvrg5RoXB54uQPYEhVW2WxiKsJkld8wXmTTPnUcb-bIzLA0FMiohM8U5edRegs5P5xb20tI0sTMPEgFAy1vvIc7PgEkdgW8heqswA
(function() {
})();
class MyArray extends Array { }
Object.prototype[Symbol.species] = MyArray;
delete Array[Symbol.species];
__v_1 = Math.pow(2, 31);
__v_2 = [];
__v_2[__v_1] = 31;
__v_4 = [];
__v_4[__v_1 - 2] = 33;
  var __v_3 = __v_2.concat(__v_4);


Filer: machenbach

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by adamk@chromium.org, Mar 7 2016

Owner: littledan@chromium.org
Status: Assigned (was: Available)
Not sure what "Unreproducible" means here, but this is definitely something to do with Symbol.species.

Comment 2 by littledan@chromium.org, Mar 9 2016 

This is one of those happy cases where, if you run it in debug mode, you get a DCHECK failure before the asan failure. This DCHECK in a LookupIterator constructor is failing: DCHECK_NE(kMaxUInt32, index_); . So there must be something wrong in the logic in concat to check for exceeding the maximum array size, for the case of a non-default species. I'm looking into it.

Comment 3 by littledan@chromium.org, Mar 9 2016

Cc: littledan@chromium.org
 Issue 592347  has been merged into this issue.
Project Member

Comment 4 by bugdroid1@chromium.org, Mar 9 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ca5deb1ff889cf0ffb48543402f3b930a017aa13

commit ca5deb1ff889cf0ffb48543402f3b930a017aa13
Author: littledan <littledan@chromium.org>
Date: Wed Mar 09 18:52:39 2016

Ensure appropriate bounds checking for Array subclass concat

When an Array subclass is used as the receiver for concat, or with
certain usages of @@species, the output that's constructed is of
a different type with new slow path logic. This slow path still
made references to elements, so it's important that bounds checking
for a too-long result still be done. This patch repairs that bounds
checking.

R=cbruni
LOG=Y
BUG= chromium:592340 

Review URL: https://codereview.chromium.org/1782443002

Cr-Commit-Position: refs/heads/master@{#34636}

[modify] https://crrev.com/ca5deb1ff889cf0ffb48543402f3b930a017aa13/src/builtins.cc
[add] https://crrev.com/ca5deb1ff889cf0ffb48543402f3b930a017aa13/test/mjsunit/regress/regress-crbug-592340.js

Comment 5 by littledan@chromium.org, Mar 9 2016

Status: Fixed (was: Assigned)

Comment 6 by ishell@chromium.org, Apr 6 2016 

 Issue 593993  has been merged into this issue.
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment