New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 597407 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

scope->declarations()->is_empty() in src/interpreter/bytecode-generator.cc

Project Member Reported by ClusterFuzz, Mar 23 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4603091323715584

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  scope->declarations()->is_empty() in src/interpreter/bytecode-generator.cc
  

Minimized Testcase (10.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv957KgOF2LQQin4JadxwQTVyDn7T0y1nlscMiDAxFuXtS6RCSmtX49RLd-3IqHtJZxqVeikN_d44e_YOekKtMmwlxNekORDSw97Vu4TENo9juLzVL8ZkxmzfrtcXpxs8aeiphP041WF6TrAEdUZ41JcGjNnybQ

Filer: hablich

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by ClusterFuzz, Mar 23 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5762275373219840

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0001bfff8000
Crash State:
  v8::internal::Context::native_context
  v8::internal::Map::TransitionElementsTo
  v8::internal::JSObject::GetElementsTransitionMap
  
Recommended Security Severity: Medium


Minimized Testcase (0.36 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96JKllWiAcu6Y7SOLT7gHkvZWuTFBbRKXKtkb5H6sZx6Yc1ss67dnC4W_IthOMZHx2DSGeBU_h4xx6rHfW-BFDhuGd5jAtR4ZOoiQfsf0F8bp5HzOvg5tbhohMnKY29WCRPLkNChhySCHTNGYIpu3Bemyv7dw
function __f_7() {
  return "  [0, 0, 0];"
}
function __f_6() {
  return eval(__f_7());
}
function __f_10() {
  var __v_1 = __f_6();
  return __v_1;
}
function __f_3() {
  var __v_2 = __f_10();
  __v_2[0] = 1.5;
  return __v_2;
}
function __f_2(array, value) {
  array[1] = value;
}
function __f_9() {
  __f_2( 1.5);
  var __v_4 = __f_3();
  __f_2(__v_4);
}
__f_9();






Filer: hablich

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Cc: hablich@chromium.org
Hmm, the two crashes look like different bugs that got merged here, don't they?
Yes, my fault. 
This is a reduced repro for the report referenced in the very first comment. Just because reports from the "decoder_langfuzz" fuzzer can be a little tricky to reproduce sometimes:

// Flags: --ignition

function f() {
  with ({}) x: function g() {}
}
f();
Owner: mythria@chromium.org
Status: Assigned (was: Available)
I am looking at the first bug where scope->declarations()->is_empty() in src/interpreter/bytecode-generator.cc.
filed another bug (https://bugs.chromium.org/p/chromium/issues/detail?id=597565) for the next bug since it is not related to the first one. 
Cc: littledan@chromium.org
Re #4: Also note that this no longer reproduces after a recent change:
https://chromium.googlesource.com/v8/v8/+/7f108b655bce12f922b5b2cec6652cefe1d6a245
Sorry about that; there was an issue where some for loops were made with invalid scopes, for example labelled function declarations in with statements as in #c4. A DCHECK would catch this, but they are banned in the language, so now it's a SyntaxError. However, this should not affect the case in #c1.
Project Member

Comment 10 by ClusterFuzz, Mar 24 2016

ClusterFuzz has detected this issue as fixed in range 35048:35049.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4603091323715584

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  scope->declarations()->is_empty() in src/interpreter/bytecode-generator.cc
  
Fixed: V8: r35048:35049

Minimized Testcase (10.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv957KgOF2LQQin4JadxwQTVyDn7T0y1nlscMiDAxFuXtS6RCSmtX49RLd-3IqHtJZxqVeikN_d44e_YOekKtMmwlxNekORDSw97Vu4TENo9juLzVL8ZkxmzfrtcXpxs8aeiphP041WF6TrAEdUZ41JcGjNnybQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Status: Fixed (was: Assigned)
Project Member

Comment 12 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment