New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 613567 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
User never visited
Closed: May 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

counters_row->Set(context, to_name_object, counter_object) .IsJust() in src/inte

Project Member Reported by ClusterFuzz, May 20 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4784007976058880

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  counters_row->Set(context, to_name_object, counter_object) .IsJust() in src/inte
  
Regressed: V8: r35815:35816

Minimized Testcase (0.17 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95KUOI7RqQ35N9UJza6YlgblSZ0ew2RKENgmgePGQ0Odqo_kOUziqz-qKQK7EphZrAWtkPxMsvN6rX7oZ2E2hOkZ8jPTDvrzqMB1X0xBqNkf4N4Gu3mLZnp7vtEgKN7eCb5Qzm_daMrLn9KSGP565eqCTp5zQ
__v_7 = new Proxy({},{}, { get() { throw "No trap should fire" }});
Object.setPrototypeOf(Object.prototype, __v_7);
function __f_7() {
}
__v_10 = getIgnitionDispatchCounters();


Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: oth@chromium.org rmcilroy@chromium.org
Owner: ssanfilippo@chromium.org
Status: Assigned (was: Available)
Reproduces on tip of tree as follows ...

$ git checkout 3cc2adb3195afe8f6eb671664bd65828eb68adb1
$ make -j1000 x64.debug
$ ./out/x64.debug/d8 --ignition --trace-ignition-dispatches ~/Downloads/fuzz-02351.js 

#
# Fatal error in ../src/interpreter/interpreter.cc, line 254
# Check failed: counters_row->Set(context, to_name_object, counter_object) .IsJust().
#

==== C stack trace ===============================

 1: V8_Fatal
 2: v8::internal::interpreter::Interpreter::GetDispatchCountersObject()
 3: v8::internal::IgnitionStatisticsExtension::GetIgnitionDispatchCounters(v8::FunctionCallbackInfo<v8::Value> const&)
 4: v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&))
 5: 0xdff52f
 6: 0xe45126
 7: 0xe029eb
 8: 0x85a20308bc7
Illegal instruction (core dumped)

Project Member

Comment 3 by bugdroid1@chromium.org, May 23 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/26569a47d156cc24b39083ce924daa4674c12042

commit 26569a47d156cc24b39083ce924daa4674c12042
Author: ssanfilippo <ssanfilippo@chromium.org>
Date: Mon May 23 16:40:00 2016

[Interpreter] Fix getIgnitionDispatchCounters crash with modified Object prototype.

Changes to the Object prototype may cause getIgnitionDispatchCounters()
to fail when building the counters table object. Using DefineOwnProperty
instead of Set solves the issue by ignoring the prototype chain.

BUG= chromium:613567 
LOG=N

Review-Url: https://codereview.chromium.org/2000203002
Cr-Commit-Position: refs/heads/master@{#36447}

[modify] https://crrev.com/26569a47d156cc24b39083ce924daa4674c12042/src/interpreter/interpreter.cc

Project Member

Comment 4 by ClusterFuzz, May 23 2016

ClusterFuzz has detected this issue as fixed in range 36446:36447.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4784007976058880

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  counters_row->Set(context, to_name_object, counter_object) .IsJust() in src/inte
  
Regressed: V8: r35815:35816
Fixed: V8: r36446:36447

Minimized Testcase (0.17 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95KUOI7RqQ35N9UJza6YlgblSZ0ew2RKENgmgePGQ0Odqo_kOUziqz-qKQK7EphZrAWtkPxMsvN6rX7oZ2E2hOkZ8jPTDvrzqMB1X0xBqNkf4N4Gu3mLZnp7vtEgKN7eCb5Qzm_daMrLn9KSGP565eqCTp5zQ
__v_7 = new Proxy({},{}, { get() { throw "No trap should fire" }});
Object.setPrototypeOf(Object.prototype, __v_7);
function __f_7() {
}
__v_10 = getIgnitionDispatchCounters();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Status: Fixed (was: Assigned)
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment