Issue metadata
Sign in to add a comment
|
Crash in v8::internal::LocalArrayBufferTracker::Free<1> |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6483509057421312 Fuzzer: v8_builtins_generator Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x15c88344 Crash State: v8::internal::LocalArrayBufferTracker::Free<1> v8::internal::ArrayBufferTracker::FreeAll v8::internal::PagedSpace::TearDown Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=403457:403667 Minimized Testcase (0.21 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv940IQyOKx8G9HvHN6wExn7ihDgFjwqzedRgA_SEEEh6F_5VEvrvK__KXpiOZkUVWg25XkU6yNPjlFuF9ABJH7c6SbXI93eCN_kIGBQ6E2Ah5-G_BCySawKS_GSp5zqIyACpefGwn8MVdCj3aFRL_ll7Xl9_cg?testcase_id=6483509057421312 v3 = Math.floor(0xFFFFFFFF / 4) + 1; Object.prototype.__defineGetter__(1, function() { this[1] = Array(0x8000).join(); }) v38 = new ArrayBuffer(v3); try { v41 = new Intl.DateTimeFormat(); } catch (e) { } Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 5 2016
Seems like an array buffer tracker related issue.
,
Jul 5 2016
,
Jul 5 2016
,
Jul 5 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 5 2016
,
Jul 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/ddc75cc1356a58b6cfd63f9da0586e1150496b3d commit ddc75cc1356a58b6cfd63f9da0586e1150496b3d Author: mlippautz <mlippautz@chromium.org> Date: Tue Jul 05 13:14:34 2016 [heap] Track length for array buffers to avoid free-ing dependency The dependency would only happen if we have a smi overflow for the length and have create a heap number. In this case the heap number would've to survive until the array buffer is collected. To avoid this dependency we track the length (as we previously used to). BUG= chromium:625748 , chromium:625752 LOG=N TEST=test/mjsunit/regress/regress-625752.js R=hpayer@chromium.org Review-Url: https://codereview.chromium.org/2122603004 Cr-Commit-Position: refs/heads/master@{#37530} [modify] https://crrev.com/ddc75cc1356a58b6cfd63f9da0586e1150496b3d/src/heap/array-buffer-tracker-inl.h [modify] https://crrev.com/ddc75cc1356a58b6cfd63f9da0586e1150496b3d/src/heap/array-buffer-tracker.cc [modify] https://crrev.com/ddc75cc1356a58b6cfd63f9da0586e1150496b3d/src/heap/array-buffer-tracker.h [add] https://crrev.com/ddc75cc1356a58b6cfd63f9da0586e1150496b3d/test/mjsunit/regress/regress-625752.js
,
Jul 5 2016
,
Jul 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/1791d7bb9ad26d8096bc5e2ed2216ea8b8dcc3cd commit 1791d7bb9ad26d8096bc5e2ed2216ea8b8dcc3cd Author: machenbach <machenbach@chromium.org> Date: Tue Jul 05 14:40:59 2016 Revert of [heap] Track length for array buffers to avoid free-ing dependency (patchset #2 id:20001 of https://codereview.chromium.org/2122603004/ ) Reason for revert: [Sheriff] This makes mjsunit/regress/regress-625752 extremely slow on all gc stress bots and leads to timeouts with custom snapshot: https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/6602 Original issue's description: > [heap] Track length for array buffers to avoid free-ing dependency > > The dependency would only happen if we have a smi overflow for the length and > have create a heap number. In this case the heap number would've to survive > until the array buffer is collected. > > To avoid this dependency we track the length (as we previously used to). > > BUG= chromium:625748 , chromium:625752 > LOG=N > TEST=test/mjsunit/regress/regress-625752.js > R=hpayer@chromium.org > > Committed: https://crrev.com/ddc75cc1356a58b6cfd63f9da0586e1150496b3d > Cr-Commit-Position: refs/heads/master@{#37530} TBR=hpayer@chromium.org,mlippautz@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= chromium:625748 , chromium:625752 Review-Url: https://codereview.chromium.org/2127483003 Cr-Commit-Position: refs/heads/master@{#37533} [modify] https://crrev.com/1791d7bb9ad26d8096bc5e2ed2216ea8b8dcc3cd/src/heap/array-buffer-tracker-inl.h [modify] https://crrev.com/1791d7bb9ad26d8096bc5e2ed2216ea8b8dcc3cd/src/heap/array-buffer-tracker.cc [modify] https://crrev.com/1791d7bb9ad26d8096bc5e2ed2216ea8b8dcc3cd/src/heap/array-buffer-tracker.h [delete] https://crrev.com/446232f16b85504410d48dfadfab95da939bad92/test/mjsunit/regress/regress-625752.js
,
Jul 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/da3745d8d9a40e6abd6449e9bdeb38df19b2c6fe commit da3745d8d9a40e6abd6449e9bdeb38df19b2c6fe Author: mlippautz <mlippautz@chromium.org> Date: Tue Jul 05 16:31:40 2016 Reland "[heap] Track length for array buffers to avoid free-ing dependency" The dependency would only happen if we have a smi overflow for the length and have create a heap number. In this case the heap number would've to survive until the array buffer is collected. To avoid this dependency we track the length (as we previously used to). BUG= chromium:625752 LOG=N TEST=test/mjsunit/regress/regress-625752.js R=hpayer@chromium.org This reverts commit 1791d7bb9ad26d8096bc5e2ed2216ea8b8dcc3cd. Review-Url: https://codereview.chromium.org/2127643002 Cr-Commit-Position: refs/heads/master@{#37537} [modify] https://crrev.com/da3745d8d9a40e6abd6449e9bdeb38df19b2c6fe/src/heap/array-buffer-tracker-inl.h [modify] https://crrev.com/da3745d8d9a40e6abd6449e9bdeb38df19b2c6fe/src/heap/array-buffer-tracker.cc [modify] https://crrev.com/da3745d8d9a40e6abd6449e9bdeb38df19b2c6fe/src/heap/array-buffer-tracker.h [modify] https://crrev.com/da3745d8d9a40e6abd6449e9bdeb38df19b2c6fe/test/mjsunit/mjsunit.status [add] https://crrev.com/da3745d8d9a40e6abd6449e9bdeb38df19b2c6fe/test/mjsunit/regress/regress-625752.js
,
Jul 6 2016
,
Jul 7 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6483509057421312 Fuzzer: v8_builtins_generator Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x15c88344 Crash State: v8::internal::LocalArrayBufferTracker::Free<1> v8::internal::ArrayBufferTracker::FreeAll v8::internal::PagedSpace::TearDown Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=403457:403667 Minimized Testcase (0.21 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv940IQyOKx8G9HvHN6wExn7ihDgFjwqzedRgA_SEEEh6F_5VEvrvK__KXpiOZkUVWg25XkU6yNPjlFuF9ABJH7c6SbXI93eCN_kIGBQ6E2Ah5-G_BCySawKS_GSp5zqIyACpefGwn8MVdCj3aFRL_ll7Xl9_cg?testcase_id=6483509057421312 v3 = Math.floor(0xFFFFFFFF / 4) + 1; Object.prototype.__defineGetter__(1, function() { this[1] = Array(0x8000).join(); }) v38 = new ArrayBuffer(v3); try { v41 = new Intl.DateTimeFormat(); } catch (e) { } See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 12 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Jul 5 2016