New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 606144 link

Starred by 2 users

Issue metadata

Status: Archived
Owner:
Closed: Jul 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Security: UNKNOWN in v8::internal::PointersUpdatingVisitor::VisitPointer

Reported by chromium...@gmail.com, Apr 23 2016

Issue description

VERSION
Chrome Version: 51.0.2704.22 beta-m
Operating System: Windows 7 
Type of crash: Render 

I don't have specific steps to repro this crash, But this crash happens every time when I navigate in facebook.com 


eax=ffffff01 ebx=00000064 ecx=0029e148 edx=0029e048 esi=ffffffc1 edi=0029e048
eip=6623bcd5 esp=0029e024 ebp=0029e02c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** WARNING: Unable to verify checksum for chrome_child.dll
chrome_child!v8::internal::PointersUpdatingVisitor::VisitPointer+0x12:
6623bcd5 8b4eff          mov     ecx,dword ptr [esi-1] ds:0023:ffffffc0=????????
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr  
0029e02c 66ac331c chrome_child!v8::internal::PointersUpdatingVisitor::VisitPointer+0x12 [c:\b\build\slave\win\build\src\v8\src\heap\mark-compact.cc @ 2691]
0029e040 6623e104 chrome_child!v8::internal::ObjectVisitor::VisitCodeEntry+0x19 [c:\b\build\slave\win\build\src\v8\src\objects.cc @ 13914]
0029e060 6623e07b chrome_child!v8::internal::UpdateTypedSlot+0x58 [c:\b\build\slave\win\build\src\v8\src\heap\mark-compact.cc @ 2682]
0029e088 6623de40 chrome_child!v8::internal::TypedSlotSet::Iterate<<lambda_8f58a6f9ef17f05c7181a123fd40dac0> >+0x54 [c:\b\build\slave\win\build\src\v8\src\heap\slot-set.h @ 290]
0029e0b8 6623c366 chrome_child!v8::internal::PageParallelJob<v8::internal::PointerUpdateJobTraits<0> >::Task::RunInternal+0x75 [c:\b\build\slave\win\build\src\v8\src\heap\page-parallel-job.h @ 154]
0029e118 6623c112 chrome_child!v8::internal::PageParallelJob<v8::internal::PointerUpdateJobTraits<0> >::Run<<lambda_c39a82ced5df391613c2ddb94f0604f1> >+0x132 [c:\b\build\slave\win\build\src\v8\src\heap\page-parallel-job.h @ 97]
0029e150 6623b240 chrome_child!v8::internal::UpdatePointersInParallel<0>+0x9b [c:\b\build\slave\win\build\src\v8\src\heap\mark-compact.cc @ 3505]
0029e298 662392f3 chrome_child!v8::internal::MarkCompactCollector::UpdatePointersAfterEvacuation+0x26e [c:\b\build\slave\win\build\src\v8\src\heap\mark-compact.cc @ 3565]
0029e360 662340a8 chrome_child!v8::internal::MarkCompactCollector::EvacuateNewSpaceAndCandidates+0x1b9 [c:\b\build\slave\win\build\src\v8\src\heap\mark-compact.cc @ 3407]
0029e388 65fa6042 chrome_child!v8::internal::Heap::MarkCompact+0x83 [c:\b\build\slave\win\build\src\v8\src\heap\heap.cc @ 1434]
0029e468 65fa47c7 chrome_child!v8::internal::Heap::PerformGarbageCollection+0x295 [c:\b\build\slave\win\build\src\v8\src\heap\heap.cc @ 1318]
0029e4d8 66b44188 chrome_child!v8::internal::Heap::CollectGarbage+0x16f [c:\b\build\slave\win\build\src\v8\src\heap\heap.cc @ 1014]
0029e504 664d77b0 chrome_child!v8::internal::Heap::CollectAllAvailableGarbage+0x4e [c:\b\build\slave\win\build\src\v8\src\heap\heap.cc @ 901]
0029e538 672f2859 chrome_child!v8::Isolate::LowMemoryNotification+0xa0 [c:\b\build\slave\win\build\src\v8\src\api.cc @ 7651]
0029e550 672f1827 chrome_child!content::RenderThreadImpl::OnMemoryPressure+0x40 [c:\b\build\slave\win\build\src\content\renderer\render_thread_impl.cc @ 1995]
0029e55c 672f2ce3 chrome_child!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__thiscall content::RenderThreadImpl::*)(enum base::MemoryPressureListener::MemoryPressureLevel)> >::MakeItSo<content::RenderThreadImpl *,enum base::MemoryPressureListener::MemoryPressureLevel>+0x21 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 312]
0029e584 6692e5d0 chrome_child!base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall content::RenderThreadImpl::*)(enum base::MemoryPressureListener::MemoryPressureLevel)>,void __cdecl(content::RenderThreadImpl *,enum base::MemoryPressureListener::MemoryPressureLevel),base::internal::UnretainedWrapper<content::RenderThreadImpl> >,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__thiscall content::RenderThreadImpl::*)(enum base::MemoryPressureListener::MemoryPressureLevel)> >,void __cdecl(enum base::MemoryPressureListener::MemoryPressureLevel)>::Run+0x26 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 362]
0029e594 6692e963 chrome_child!base::MemoryPressureListener::Notify+0x14 [c:\b\build\slave\win\build\src\base\memory\memory_pressure_listener.cc @ 52]
0029e5c4 65c44ecc chrome_child!base::ObserverListThreadSafe<base::MemoryPressureListener>::NotifyWrapper<void (__thiscall base::MemoryPressureListener::*)(enum base::MemoryPressureListener::MemoryPressureLevel),std::tuple<enum base::MemoryPressureListener::MemoryPressureLevel> >+0x7f [c:\b\build\slave\win\build\src\base\observer_list_threadsafe.h @ 237]
0029e5fc 6692e730 chrome_child!tracked_objects::ThreadData::Get+0x26 [c:\b\build\slave\win\build\src\base\tracked_objects.cc @ 371]
 
7dbf38eb-9f26-480f-a497-ec24d85b1550.dmp
623 KB Download
Hmm... Now I can repro this with the steps below: 

1. Log into Facebook.
2. Try to open a lot of pages facebook (Friends...).
3. And now try to close every tab of facebook.
4. Crach! 


Recording.mp4
1.1 MB Download
Also repro on 52.0.2715.0.

Comment 3 by vakh@chromium.org, Apr 24 2016

Cc: mlippautz@chromium.org vakh@chromium.org
Components: Blink>Bindings
Owner: hlopko@chromium.org
I haven't been able to reproduce this crash, but I'm going to let the product area owners decide.

hlopko@: Assigning to you based on git log. Please feel free to re-assign.
Also, the Security FAQ states that most Chromium crashes are not considered vulnerability. Can you please confirm if that applies in this case so that we can triage it appropriately?
Project Member

Comment 4 by ClusterFuzz, Apr 24 2016

Status: Assigned (was: Unconfirmed)

Comment 5 by vakh@chromium.org, Apr 25 2016

Labels: Security_Impact-Beta
Cc: hpayer@chromium.org hlopko@chromium.org
Components: -Blink>Bindings Blink>JavaScript>GC
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Impact-Beta Type-Bug
Owner: u...@chromium.org
Thanks for the report. Unfortunately, repros of this kind are often heavily machine dependent and there's a good chance that we cannot do anything here. Nevertheless, we'll give it a shot.

Assigning to this week's memory sheriff ulan@.  This looks like a missed write barrier; not security related.

Comment 7 by u...@chromium.org, Jul 24 2017

Status: Archived (was: Assigned)
This code has change significantly since the time the issue was filed.

Sign in to add a comment