Stack-overflow in v8::internal::PerThreadAssertScope< |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5113386173464576 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: Stack-overflow Crash Address: 0xff741ffc Crash State: v8::internal::PerThreadAssertScope< v8::internal::HandleBase::IsDereferenceAllowed v8::internal::JSReceiver::ToPrimitive Regressed: V8: r35401:35402 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv959XPmWHKmd8BL_5JyrkYCZD3J9CDd5iRTLeEU--V56bRAs8HBZ3eeHw0bmOPL96amuvOqDTdNF4PYE229Um-zGG6ZybKgSvep8MefM-TksIiQfMgbitrP3OkI7j7WBUgrfN_6UWJPVY3ytla2t3rrGPM7KUg Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 14 2016
,
Jul 14 2016
,
Jul 14 2016
The issue here is that a stack overflow occurs within C++ code. Simulators use separate stacks for JS and C++. We check for JS stack overflow whenever a JS function is called, but so far there are no corresponding checks for C++ overflows on this codepath. This leads to a stack overflow when the C++ stack grows faster than the JS stack.
,
Jul 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/0b3e6843331fd216cc7b564137b67e9876fab90f commit 0b3e6843331fd216cc7b564137b67e9876fab90f Author: jgruber <jgruber@chromium.org> Date: Thu Jul 14 08:54:14 2016 [simulator] Check for C stack overflows during Invoke Simulators use separate stacks for C++ and JS. JS stack overflow checks are performed whenever a JS function is called. However, it can be the case that the C++ stack grows faster than the JS stack, resulting in an overflow there. Add a check here to make that less likely. BUG= chromium:604376 R=bmeurer@chromium.org, yangguo@chromium.org Review-Url: https://codereview.chromium.org/2151663003 Cr-Commit-Position: refs/heads/master@{#37749} [modify] https://crrev.com/0b3e6843331fd216cc7b564137b67e9876fab90f/src/execution.cc
,
Jul 14 2016
,
Jul 15 2016
ClusterFuzz has detected this issue as fixed in range 37748:37749. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5113386173464576 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: Stack-overflow Crash Address: 0xff664f80 Crash State: v8::internal::Object::GetMethod v8::internal::JSReceiver::ToPrimitive v8::internal::Object::ToString Regressed: V8: r35401:35402 Fixed: V8: r37748:37749 Minimized Testcase (6.85 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956fzVxav0BtH1QcKvKyH64KPINUtSkaEan8uffNuzu68mPpc4_AXvv2YH-eGgdxtY7o_AHdjGXSztMqMi4L-LvSU66E8tJIrIYKe2daMSIqbmHSOJ6ArP2M5HV1N6UmsshXFFB1s3d652U8ImQY_jlcJz7YQ?testcase_id=5113386173464576 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mstarzinger@chromium.org
, Apr 18 2016Owner: bmeu...@chromium.org
Status: Assigned (was: Available)