New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 615776 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Jun 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

RUNTIME_ASSERT in args[0]->IsNumber() in src/runtime/runtime-maths.cc

Project Member Reported by ClusterFuzz, May 30 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5205335090659328

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: RUNTIME_ASSERT
Crash Address: 
Crash State:
  args[0]->IsNumber() in src/runtime/runtime-maths.cc
  
Regressed: V8: r36527:36528

Minimized Testcase (0.40 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96LiH2k-zFpB65no1EGCv2j14dTt4URj-a1HXecEyY-krcKeEOb6JUmsP1AZT0OjCL7rUqZqBZ5XyIVFd78bFLtbtIH73TFzqWslmlSNgXb0gvqJVkows-D1SCTCaQTtCJJcVHqcQA7_qyfnfiXyKj8Em9M4Q
(function() {
  class MyTypedArray extends Int32Array {
    get length() {
    }
  }
})();
(function() {
  class MyTypedArray extends Int32Array {
    constructor(length) {
    }
  }
})();
(function() {
})();
delete Int32Array.prototype.__proto__.length;
get = function() {
}
try {
} catch(e) {; }
try {
(function __f_4() {
})();
} catch(e) {; }
var __v_18 = new WeakMap;
var __v_19 = {};
__v_18.set(__v_19);


Filer: ishell

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by ishell@chromium.org, May 30 2016

Cc: adamk@chromium.org littledan@chromium.org
Owner: gsat...@chromium.org
Status: Assigned (was: Available)
Regression range points to "TypedArray: Make byteOffset, byteLength, and length configurable" (https://codereview.chromium.org/2001393004).

Comment 2 by tjbecker@google.com, May 31 2016

I ran into this a few days ago and did some debugging. I've attached a more simplified test case.

The issue stems from https://chromium.googlesource.com/v8/v8/+/4513e07787e2860a73d290d7580c961a0aad3482.

In |MathRandomRaw|, |nextRandomIndex| can become an invalid array index, causing undefined to be passed into |%_DoubleLo|.

A possible fix may be using |%_TypedArrayGetLength| instead of accessing the length in javascript.
simple.js
135 bytes View Download
Project Member

Comment 3 by ClusterFuzz, May 31 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4603839483478016

Uploader: tjbecker@google.com
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: RUNTIME_ASSERT
Crash Address: 
Crash State:
  args[0]->IsNumber() in src/runtime/runtime-maths.cc
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv957LvH8fd7jiubSl6XnFyW3r7TDgDjscWdh7fH_DW-SI8LT_OFMQqcYDqLOGnCeSUQaYoGRVIRe5aNrrTm_vyFBNmbeX5ZeonsRTSxeicRSTopE51tyBdCWzrASblj_6tFUgGB5xfXBs4XRol3Dwfj4vAlSDA


Filer: tjbecker

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 4 by ClusterFuzz, Jun 1 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4603839483478016

Uploader: tjbecker@google.com
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: RUNTIME_ASSERT
Crash Address: 
Crash State:
  args[0]->IsNumber() in src/runtime/runtime-maths.cc
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv957LvH8fd7jiubSl6XnFyW3r7TDgDjscWdh7fH_DW-SI8LT_OFMQqcYDqLOGnCeSUQaYoGRVIRe5aNrrTm_vyFBNmbeX5ZeonsRTSxeicRSTopE51tyBdCWzrASblj_6tFUgGB5xfXBs4XRol3Dwfj4vAlSDA


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 5 by bugdroid1@chromium.org, Jun 1 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a7d091ffe385fc62e372f34317d97e6ea31a0a4a

commit a7d091ffe385fc62e372f34317d97e6ea31a0a4a
Author: gsathya <gsathya@chromium.org>
Date: Wed Jun 01 18:41:58 2016

math.js: Use %_TypedArrayGetLength to get length

https://codereview.chromium.org/2001393004 makes TypedArray
length property writable, which means we shouldn't depend on it.
Instead, use %_TypedArrayGetLength% to get length.

Attached regression test.

BUG= chromium:615776 

Review-Url: https://codereview.chromium.org/2020203006
Cr-Commit-Position: refs/heads/master@{#36655}

[modify] https://crrev.com/a7d091ffe385fc62e372f34317d97e6ea31a0a4a/src/js/math.js
[add] https://crrev.com/a7d091ffe385fc62e372f34317d97e6ea31a0a4a/test/mjsunit/regress/regress-615776.js

Status: Fixed (was: Assigned)
Thanks for looking into this, tjbecker.
Project Member

Comment 7 by ClusterFuzz, Jun 2 2016

ClusterFuzz has detected this issue as fixed in range 36654:36655.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5205335090659328

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: RUNTIME_ASSERT
Crash Address: 
Crash State:
  args[0]->IsNumber() in src/runtime/runtime-maths.cc
  
Regressed: V8: r36527:36528
Fixed: V8: r36654:36655

Minimized Testcase (0.40 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96LiH2k-zFpB65no1EGCv2j14dTt4URj-a1HXecEyY-krcKeEOb6JUmsP1AZT0OjCL7rUqZqBZ5XyIVFd78bFLtbtIH73TFzqWslmlSNgXb0gvqJVkows-D1SCTCaQTtCJJcVHqcQA7_qyfnfiXyKj8Em9M4Q
(function() {
  class MyTypedArray extends Int32Array {
    get length() {
    }
  }
})();
(function() {
  class MyTypedArray extends Int32Array {
    constructor(length) {
    }
  }
})();
(function() {
})();
delete Int32Array.prototype.__proto__.length;
get = function() {
}
try {
} catch(e) {; }
try {
(function __f_4() {
})();
} catch(e) {; }
var __v_18 = new WeakMap;
var __v_19 = {};
__v_18.set(__v_19);


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment