Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5192966884294656

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: RUNTIME_ASSERT
Crash Address: 
Crash State:
  args[0]->IsString() in src/runtime/runtime-regexp.cc
  
Regressed: V8: r35098:35099

Minimized Testcase (9.69 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94sHXIU20DanfOtxXZo-0eihWC7Lu8Iv9vBy6Yi4o2Wje448pWiSZjqk2pEfAov7IURxoGgRVCmSwMtBDxQGfyjkbVKhO8bDG6pvZEHG6vZqJx6FXjS10iQZdppzPe7stofnty9wpQuD1UNztlc-ILLY6wATw

Filer: ishell

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Introduced by "[regexp, intl] Intl should not cause side effects to the RegExp object." (https://codereview.chromium.org/1819313002).

out/x64.debug/d8 test.js

===== test.js =====
Array.prototype.__defineSetter__(0,function(value){});

if (this.Intl) {
  var o = new Intl.DateTimeFormat('en-US', {'timeZone': 'Asia/Katmandu'})
}

The pin-pointed CL does not introduce this issue. It merely causes unexpected behavior such as this one to crash. Intl seems to be unsafe against monkey-patching.

The issue here is that Intl.DateTimeFormat ends up calling initializeLocaleList, which initializes 'seen' with [], and uses ArrayPush on it.
[] has the same prototype as Array, so it ends up calling that setter even though this internal implementation should not be affected by monkey-patching.

We probably should use InternalArray here, and since the locale list is not exposed to the user (?) we can just keep using InternalArray. We probably don't need to call freezeArray either.

I'm not entirely familiar with Intl. Maybe Jochen or Jungshik has more insight?

The Intl code has gotten gradually better over time at withstanding monkey-patching and handling other kinds of edge cases, but I won't be surprised if there are more issues lurking. I have a fix for this one at https://codereview.chromium.org/1923803002 . We do need freezeArray as the array is returned to the user in Intl.Collator.supportedLocalesOf whose implementation calls this code. The specification requires that the output array be frozen.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4f374bbc94f7958b0be4e6a15743eebe7c6eecf6

commit 4f374bbc94f7958b0be4e6a15743eebe7c6eecf6
Author: littledan <littledan@chromium.org>
Date: Mon May 02 18:18:42 2016

Use InternalArrays from certain Intl code

The ECMA 402 implementation previously pushed directly to real
Arrays, which risks having observably incorrect behavior in the
presence of monkey patching. This patch uses InternalArrays instead
to avoid that hazard.

R=jshin@chromium.org,yangguo@chromium.org
BUG= chromium:604299 
LOG=N

Review-Url: https://codereview.chromium.org/1923803002
Cr-Commit-Position: refs/heads/master@{#35949}

[modify] https://crrev.com/4f374bbc94f7958b0be4e6a15743eebe7c6eecf6/src/js/i18n.js
[modify] https://crrev.com/4f374bbc94f7958b0be4e6a15743eebe7c6eecf6/src/js/typedarray.js
[add] https://crrev.com/4f374bbc94f7958b0be4e6a15743eebe7c6eecf6/test/mjsunit/regress/regress-crbug-604299.js
[modify] https://crrev.com/4f374bbc94f7958b0be4e6a15743eebe7c6eecf6/test/test262/test262.status

ClusterFuzz has detected this issue as fixed in range 35948:35949.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5192966884294656

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: RUNTIME_ASSERT
Crash Address: 
Crash State:
  args[0]->IsString() in src/runtime/runtime-regexp.cc
  
Regressed: V8: r35098:35099
Fixed: V8: r35948:35949

Minimized Testcase (9.69 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94sHXIU20DanfOtxXZo-0eihWC7Lu8Iv9vBy6Yi4o2Wje448pWiSZjqk2pEfAov7IURxoGgRVCmSwMtBDxQGfyjkbVKhO8bDG6pvZEHG6vZqJx6FXjS10iQZdppzPe7stofnty9wpQuD1UNztlc-ILLY6wATw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot