New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 625752 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jul 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in v8::internal::LocalArrayBufferTracker::Free<1>

Project Member Reported by ClusterFuzz, Jul 5 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6483509057421312

Fuzzer: v8_builtins_generator
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x15c88344
Crash State:
  v8::internal::LocalArrayBufferTracker::Free<1>
  v8::internal::ArrayBufferTracker::FreeAll
  v8::internal::PagedSpace::TearDown
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=403457:403667

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv940IQyOKx8G9HvHN6wExn7ihDgFjwqzedRgA_SEEEh6F_5VEvrvK__KXpiOZkUVWg25XkU6yNPjlFuF9ABJH7c6SbXI93eCN_kIGBQ6E2Ah5-G_BCySawKS_GSp5zqIyACpefGwn8MVdCj3aFRL_ll7Xl9_cg?testcase_id=6483509057421312
 v3 = Math.floor(0xFFFFFFFF / 4) + 1; 
Object.prototype.__defineGetter__(1, function() { 
this[1] = Array(0x8000).join();
})
 v38 = new ArrayBuffer(v3); 
try { v41 = new Intl.DateTimeFormat(); } catch (e) {  }


Filer: inferno

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: tjbecker@google.com mbarbe...@chromium.org
Cc: hpayer@chromium.org u...@chromium.org
Owner: mlippautz@chromium.org
Status: Assigned (was: Available)
Seems like an array buffer tracker related issue.
Components: -Blink>JavaScript Blink>JavaScript>GC
Labels: -OS-Windows OS-All
Status: Started (was: Assigned)
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 5 2016

Labels: M-53
Project Member

Comment 5 by sheriffbot@chromium.org, Jul 5 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Jul 5 2016

Labels: Pri-1
Project Member

Comment 7 by bugdroid1@chromium.org, Jul 5 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ddc75cc1356a58b6cfd63f9da0586e1150496b3d

commit ddc75cc1356a58b6cfd63f9da0586e1150496b3d
Author: mlippautz <mlippautz@chromium.org>
Date: Tue Jul 05 13:14:34 2016

[heap] Track length for array buffers to avoid free-ing dependency

The dependency would only happen if we have a smi overflow for the length and
have create a heap number. In this case the heap number would've to survive
until the array buffer is collected.

To avoid this dependency we track the length (as we previously used to).

BUG= chromium:625748 , chromium:625752 
LOG=N
TEST=test/mjsunit/regress/regress-625752.js
R=hpayer@chromium.org

Review-Url: https://codereview.chromium.org/2122603004
Cr-Commit-Position: refs/heads/master@{#37530}

[modify] https://crrev.com/ddc75cc1356a58b6cfd63f9da0586e1150496b3d/src/heap/array-buffer-tracker-inl.h
[modify] https://crrev.com/ddc75cc1356a58b6cfd63f9da0586e1150496b3d/src/heap/array-buffer-tracker.cc
[modify] https://crrev.com/ddc75cc1356a58b6cfd63f9da0586e1150496b3d/src/heap/array-buffer-tracker.h
[add] https://crrev.com/ddc75cc1356a58b6cfd63f9da0586e1150496b3d/test/mjsunit/regress/regress-625752.js

Status: Fixed (was: Started)
Project Member

Comment 9 by bugdroid1@chromium.org, Jul 5 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/1791d7bb9ad26d8096bc5e2ed2216ea8b8dcc3cd

commit 1791d7bb9ad26d8096bc5e2ed2216ea8b8dcc3cd
Author: machenbach <machenbach@chromium.org>
Date: Tue Jul 05 14:40:59 2016

Revert of [heap] Track length for array buffers to avoid free-ing dependency (patchset #2 id:20001 of https://codereview.chromium.org/2122603004/ )

Reason for revert:
[Sheriff] This makes mjsunit/regress/regress-625752 extremely slow on all gc stress bots and leads to timeouts with custom snapshot:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/6602

Original issue's description:
> [heap] Track length for array buffers to avoid free-ing dependency
>
> The dependency would only happen if we have a smi overflow for the length and
> have create a heap number. In this case the heap number would've to survive
> until the array buffer is collected.
>
> To avoid this dependency we track the length (as we previously used to).
>
> BUG= chromium:625748 , chromium:625752 
> LOG=N
> TEST=test/mjsunit/regress/regress-625752.js
> R=hpayer@chromium.org
>
> Committed: https://crrev.com/ddc75cc1356a58b6cfd63f9da0586e1150496b3d
> Cr-Commit-Position: refs/heads/master@{#37530}

TBR=hpayer@chromium.org,mlippautz@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= chromium:625748 , chromium:625752 

Review-Url: https://codereview.chromium.org/2127483003
Cr-Commit-Position: refs/heads/master@{#37533}

[modify] https://crrev.com/1791d7bb9ad26d8096bc5e2ed2216ea8b8dcc3cd/src/heap/array-buffer-tracker-inl.h
[modify] https://crrev.com/1791d7bb9ad26d8096bc5e2ed2216ea8b8dcc3cd/src/heap/array-buffer-tracker.cc
[modify] https://crrev.com/1791d7bb9ad26d8096bc5e2ed2216ea8b8dcc3cd/src/heap/array-buffer-tracker.h
[delete] https://crrev.com/446232f16b85504410d48dfadfab95da939bad92/test/mjsunit/regress/regress-625752.js

Project Member

Comment 10 by bugdroid1@chromium.org, Jul 5 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/da3745d8d9a40e6abd6449e9bdeb38df19b2c6fe

commit da3745d8d9a40e6abd6449e9bdeb38df19b2c6fe
Author: mlippautz <mlippautz@chromium.org>
Date: Tue Jul 05 16:31:40 2016

Reland "[heap] Track length for array buffers to avoid free-ing dependency"

The dependency would only happen if we have a smi overflow for the length and
have create a heap number. In this case the heap number would've to survive
until the array buffer is collected.

To avoid this dependency we track the length (as we previously used to).

BUG= chromium:625752 
LOG=N
TEST=test/mjsunit/regress/regress-625752.js
R=hpayer@chromium.org

This reverts commit 1791d7bb9ad26d8096bc5e2ed2216ea8b8dcc3cd.

Review-Url: https://codereview.chromium.org/2127643002
Cr-Commit-Position: refs/heads/master@{#37537}

[modify] https://crrev.com/da3745d8d9a40e6abd6449e9bdeb38df19b2c6fe/src/heap/array-buffer-tracker-inl.h
[modify] https://crrev.com/da3745d8d9a40e6abd6449e9bdeb38df19b2c6fe/src/heap/array-buffer-tracker.cc
[modify] https://crrev.com/da3745d8d9a40e6abd6449e9bdeb38df19b2c6fe/src/heap/array-buffer-tracker.h
[modify] https://crrev.com/da3745d8d9a40e6abd6449e9bdeb38df19b2c6fe/test/mjsunit/mjsunit.status
[add] https://crrev.com/da3745d8d9a40e6abd6449e9bdeb38df19b2c6fe/test/mjsunit/regress/regress-625752.js

Project Member

Comment 11 by sheriffbot@chromium.org, Jul 6 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 12 by ClusterFuzz, Jul 7 2016

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6483509057421312

Fuzzer: v8_builtins_generator
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x15c88344
Crash State:
  v8::internal::LocalArrayBufferTracker::Free<1>
  v8::internal::ArrayBufferTracker::FreeAll
  v8::internal::PagedSpace::TearDown
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=403457:403667

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv940IQyOKx8G9HvHN6wExn7ihDgFjwqzedRgA_SEEEh6F_5VEvrvK__KXpiOZkUVWg25XkU6yNPjlFuF9ABJH7c6SbXI93eCN_kIGBQ6E2Ah5-G_BCySawKS_GSp5zqIyACpefGwn8MVdCj3aFRL_ll7Xl9_cg?testcase_id=6483509057421312
 v3 = Math.floor(0xFFFFFFFF / 4) + 1; 
Object.prototype.__defineGetter__(1, function() { 
this[1] = Array(0x8000).join();
})
 v38 = new ArrayBuffer(v3); 
try { v41 = new Intl.DateTimeFormat(); } catch (e) {  }


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by sheriffbot@chromium.org, Oct 12 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 14 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

Sign in to add a comment