New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 618788 link

Starred by 2 users
Status: Fixed
Owner:
adamk@chromium.org
Closed: Jun 2016
Cc:
tjbecker@google.com
cbruni@chromium.org
littledan@chromium.org
adamk@chromium.org
ishell@chromium.org
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

!array->HasFixedTypedArrayElements() in runtime-array.cc

Project Member Reported by ClusterFuzz, Jun 9 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4938501288361984

Fuzzer: v8_builtins_generator
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !array->HasFixedTypedArrayElements() in runtime-array.cc
  

Minimized Testcase (0.32 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96armPFNkQYbhrsddI717bFyQIDATkQ2u-4KfzJyvS6Hz3RDT9VGHHoAVQAVSLdjH_jWeV5r853EqYZ-oOkpQ697jL-7aG5ELcYrJrGe7vEduDLynx9fbw43o5PHVtatdfGruRTT4HmYhvsIwTv0qT4VslpSg
try { var v2 = new Int32Array(); } catch (e) { var v2 = {}; }
try { var v14 = new Array(); } catch (e) { var v14 = {}; }
 v14[0x80000] = 1; 
try { var v15 = Reflect.setPrototypeOf(v14, v2); } catch (e) { var v15 = {}; }
 v14.__proto__.slice = Array.prototype.slice; 
try { var v52 = v14.slice(); } catch (e) { var v52 = {}; }


Filer: tjbecker

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by tjbecker@google.com, Jun 9 2016 

I've attached a more understandable test case.

It seems the issue is that the javascript array builtins will create result arrays using %ArraySpeciesConstructor. Then, in Object::ArraySpeciesConstructor, it will return the result of a property lookup for "constructor".
species_runtime_check.js
202 bytes View Download

Comment 2 by adamk@chromium.org, Jun 10 2016

Cc: cbruni@chromium.org littledan@chromium.org
Owner: adamk@chromium.org
Status: Started (was: Available)
Will investigate.
Project Member

Comment 3 by bugdroid1@chromium.org, Jun 14 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/56ea2f973133a26998f6ba2cc1fb35a0fa679835

commit 56ea2f973133a26998f6ba2cc1fb35a0fa679835
Author: adamk <adamk@chromium.org>
Date: Tue Jun 14 09:37:53 2016

Array.prototype.slice should only normalize result if it's an array

R=cbruni@chromium.org
BUG= chromium:618788 

Review-Url: https://codereview.chromium.org/2058013002
Cr-Commit-Position: refs/heads/master@{#36955}

[modify] https://crrev.com/56ea2f973133a26998f6ba2cc1fb35a0fa679835/src/js/array.js
[add] https://crrev.com/56ea2f973133a26998f6ba2cc1fb35a0fa679835/test/mjsunit/regress/regress-crbug-618788.js

Comment 4 by adamk@chromium.org, Jun 14 2016

Status: Fixed (was: Started)

Comment 5 by tjbecker@google.com, Jun 14 2016 

I don't think this is completely fixed yet. Array.splice() can still trigger the same runtime CHECK failure. See the attached test.
normalize_array.js
206 bytes View Download

Comment 6 by adamk@chromium.org, Jun 15 2016

Status: Assigned (was: Fixed)
Thanks for the test case, I'd meant to dig further into the other calls to %NormalizeElements but it somehow slipped my mind over the weekend.

Comment 7 by adamk@chromium.org, Jun 16 2016

Cc: adamk@chromium.org
 Issue 620244  has been merged into this issue.
Project Member

Comment 8 by bugdroid1@chromium.org, Jun 23 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/7b011fc9db92da2802702ccfdd93b576e438ae04

commit 7b011fc9db92da2802702ccfdd93b576e438ae04
Author: adamk <adamk@chromium.org>
Date: Thu Jun 23 17:20:32 2016

Array splice should only normalize deleted_elements if it's an array

Also slightly expand regression test to end with a return instead of
an exception.

R=cbruni@chromium.org
BUG= chromium:618788 

Review-Url: https://codereview.chromium.org/2090193002
Cr-Commit-Position: refs/heads/master@{#37223}

[modify] https://crrev.com/7b011fc9db92da2802702ccfdd93b576e438ae04/src/js/array.js
[modify] https://crrev.com/7b011fc9db92da2802702ccfdd93b576e438ae04/test/mjsunit/regress/regress-crbug-618788.js

Comment 9 by adamk@chromium.org, Jun 23 2016

Status: Fixed (was: Assigned)
Okay, now this is really fixed.
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment