New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 620750 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jun 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Blocking:
issue 581412



Sign in to add a comment

Crash in v8::internal::Heap::AllocateHeapNumber

Project Member Reported by ClusterFuzz, Jun 16 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6648505599000576

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN WRITE
Crash Address: 0xbebebebe
Crash State:
  v8::internal::Heap::AllocateHeapNumber
  v8::internal::Factory::NewHeapNumber
  v8::internal::Factory::NewNumberFromUint
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=400026:400041

Minimized Testcase (0.15 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96XEhzaeCZtpwNwEEP_OJuR3j0_A2GV1ys7DxKM-KB3C98PVrd7GCthZwC-lVkUbhGFcypRAN4ca2rCEwgyoADPgOXmfEcOqgYmID4P3Ey0ppUgA2xVyZNg3AMHEFbyGSNaAXwH9p2LApkIANYcgER3wf7-yg
gc();
try {
 __v_2;
} catch(e) {; }
__v_5 = {
};
__v_4 = [];
__v_5 = {
};
for (var __v_3 = 1073741823; __v_3 < 4294967295; __v_3++) __v_4[__v_3] = __v_3;


Filer: inferno

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Owner: jarin@chromium.org
Status: Assigned (was: Available)
Project Member

Comment 2 by ClusterFuzz, Jun 16 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5279443283345408

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN WRITE
Crash Address: 0xbebebebe
Crash State:
  v8::internal::Heap::AllocateHeapNumber
  v8::internal::Factory::NewHeapNumber
  v8::internal::Runtime_AllocateHeapNumber
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=399917:399984

Minimized Testcase (1.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96QCP5SbcOrVz4OmCQXkol2-JXmH5fOoXSef7snh9u2Q8Dddr-yT1A90fWgs24_7-Au7vjhVRIXG_G5_vKYF1BmKcun62vmnN-knr8Lgn3pQSyIo5JAtt_esvivwzWK1nqIBWqJ3NDW5Nf_2EV2CO20P3sH-g

Filer: inferno

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 3 by ClusterFuzz, Jun 17 2016

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6648505599000576

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN WRITE
Crash Address: 0xbebebebe
Crash State:
  v8::internal::Heap::AllocateHeapNumber
  v8::internal::Factory::NewHeapNumber
  v8::internal::Factory::NewNumberFromUint
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=400026:400041

Minimized Testcase (0.15 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96XEhzaeCZtpwNwEEP_OJuR3j0_A2GV1ys7DxKM-KB3C98PVrd7GCthZwC-lVkUbhGFcypRAN4ca2rCEwgyoADPgOXmfEcOqgYmID4P3Ey0ppUgA2xVyZNg3AMHEFbyGSNaAXwH9p2LApkIANYcgER3wf7-yg
gc();
try {
 __v_2;
} catch(e) {; }
__v_5 = {
};
__v_4 = [];
__v_5 = {
};
for (var __v_3 = 1073741823; __v_3 < 4294967295; __v_3++) __v_4[__v_3] = __v_3;


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 4 by jarin@chromium.org, Jun 17 2016

Cc: mlippautz@chromium.org
Status: Fixed (was: Assigned)
Fixed by:

commit 2263ee9bf4e5aa341cbac547add68a2105963477
Author: mlippautz <mlippautz@chromium.org>
Date:   Thu Jun 16 09:52:45 2016 -0700

    Revert of [heap] Add page evacuation mode for new->new (patchset #18 id:440001 of https://codereview.chromium.org/1957323003/ )
    
    Reason for revert:
    Fragmentation of LABs could result in increasing memory usage (pages) instead of shrinking.
    
    BUG= chromium:620320 
    LOG=N
    
    Original issue's description:
    > [heap] Add page evacuation mode for new->new
    >
    > Adds an evacuation mode that allows moving pages within new space without
    > copying objects.
    >
    > Basic idea:
    > a) Move page within new space
    > b) Sweep page to make iterable and process ArrayBuffers
    > c) Finish sweep till next scavenge
    >
    > Threshold is currently 70% live bytes, i.e., the same threshold we use
    > to determine fragmented pages.
    >
    > BUG=chromium:581412
    > LOG=N
    > CQ_EXTRA_TRYBOTS=tryserver.v8:v8_linux_arm64_gc_stress_dbg,v8_linux_gc_stress_dbg,v8_mac_gc_stress_dbg,v8_linux64_tsan_rel,v8_mac64_asan_rel
    >
    > Committed: https://crrev.com/49b23201671b25092a3c22eb85783f39b95a5f87
    > Cr-Commit-Position: refs/heads/master@{#36990}
    
    TBR=ulan@chromium.org
    # Not skipping CQ checks because original CL landed more than 1 days ago.
    BUG=chromium:581412
    
    Review-Url: https://codereview.chromium.org/2063013005
    Cr-Commit-Position: refs/heads/master@{#37042}

Project Member

Comment 5 by sheriffbot@chromium.org, Jun 17 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 6 by ClusterFuzz, Jun 17 2016

Labels: Merge-NA
Project Member

Comment 7 by ClusterFuzz, Jun 17 2016

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5279443283345408

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN WRITE
Crash Address: 0xbebebebe
Crash State:
  v8::internal::Heap::AllocateHeapNumber
  v8::internal::Factory::NewHeapNumber
  v8::internal::Runtime_AllocateHeapNumber
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=399917:399984

Minimized Testcase (1.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96QCP5SbcOrVz4OmCQXkol2-JXmH5fOoXSef7snh9u2Q8Dddr-yT1A90fWgs24_7-Au7vjhVRIXG_G5_vKYF1BmKcun62vmnN-knr8Lgn3pQSyIo5JAtt_esvivwzWK1nqIBWqJ3NDW5Nf_2EV2CO20P3sH-g?testcase_id=5279443283345408

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 8 by jarin@chromium.org, Jun 22 2016

Owner: mlippautz@chromium.org
Status: Assigned (was: Fixed)
Bisects to:

commit 7d5969da3d2b1a9b08c6fc6517d69f8ca4aca94c
Author: mlippautz <mlippautz@chromium.org>
Date:   Mon Jun 20 06:19:25 2016 -0700

    Reland "[heap] Add page evacuation mode for new->new"
    
    Adds an evacuation mode that allows moving pages within new space without
    copying objects.
    
    Basic idea:
    a) Move page within new space
    b) Sweep page to make iterable and process ArrayBuffers
    c) Finish sweep till next scavenge
    
    Threshold is currently 70% live bytes, i.e., the same threshold we use
    to determine fragmented pages.
    
    This reverts commit 2263ee9bf4e5aa341cbac547add68a2105963477.
    
    BUG=chromium:581412
    LOG=N
    CQ_EXTRA_TRYBOTS=tryserver.v8:v8_linux_arm64_gc_stress_dbg,v8_linux_gc_stress_dbg,v8_mac_gc_stress_dbg,v8_linux64_tsan_rel,v8_mac64_asan_rel
    
    Review-Url: https://codereview.chromium.org/2078863002
    Cr-Commit-Position: refs/heads/master@{#37104}

Project Member

Comment 9 by ClusterFuzz, Jun 22 2016

Status: Fixed (was: Assigned)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

- Your friendly ClusterFuzz
Cc: -mlippautz@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>GC
Labels: -OS-Windows OS-All
Status: Started (was: Fixed)
Project Member

Comment 11 by bugdroid1@chromium.org, Jun 22 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/21b55c4aa5fd47da0ef3802c88f6da41690b7d1f

commit 21b55c4aa5fd47da0ef3802c88f6da41690b7d1f
Author: mlippautz <mlippautz@chromium.org>
Date: Wed Jun 22 09:07:30 2016

[heap] Fix check in AdvancePage

Failing to do the right check in AdvancePage results in a crash in a CHECK later
in EnsureCurrentCapacity.

BUG= chromium:620750 ,chromium:622115
LOG=N
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2090013002
Cr-Commit-Position: refs/heads/master@{#37171}

[modify] https://crrev.com/21b55c4aa5fd47da0ef3802c88f6da41690b7d1f/src/heap/spaces.h
[add] https://crrev.com/21b55c4aa5fd47da0ef3802c88f6da41690b7d1f/test/mjsunit/regress/regress-620750.js

Status: Fixed (was: Started)
Blocking: 581412
Project Member

Comment 14 by sheriffbot@chromium.org, Sep 28 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 15 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 16 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Project Member

Comment 18 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

Sign in to add a comment