New issue
Advanced search Search tips

Issue 625826 link

Starred by 1 user
Status: Duplicate
Merged: issue 625752
Owner:
mlippautz@chromium.org
Closed: Jul 2016
Cc:
ishell@chromium.org
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

number->IsHeapNumber() in conversions-inl.h

Project Member Reported by ClusterFuzz, Jul 5 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5097450549542912

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  number->IsHeapNumber() in conversions-inl.h
  

Minimized Testcase (10.59 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Znuey2QJ7qDmVioyC1h4R69suCsH_x25SlZj71vDkzJ0wzDsdpz34YQD_UGV6Sx-lNcCDQGpOER9kkdkBj8dT26iGx5XwnmcGwXItDEw1rBkkMSiURQ-4FXeqaLcDSVUdkbfqDReJYV1YPdg23aPkRwF0ZA?testcase_id=5097450549542912

Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mstarzinger@chromium.org, Jul 5 2016 

This reproduces on tip of tree as follows ...

$ ~/Development/v8.git/out/arm.debug/d8 --expose-gc --expose_natives_as natives --ignition ~/Downloads/fuzz-00751.js

It seems we have a stale pointer into zapped memory ...

(gdb) bt
#0  v8::base::OS::Abort () at ../src/base/platform/platform-posix.cc:240
#1  0x099820fe in V8_Fatal (file=0x9c7becf <.L.str.877> ".././src/conversions-inl.h", line=148, format=0x9c73d04 <.L.str.9> "Check failed: %s.") at ../src/base/logging.cc:116
#2  0x089bb135 in v8::internal::TryNumberToSize (isolate=0x9de2fc8, number=0x201c8ec9, result=0xffffbc88) at .././src/conversions-inl.h:148
#3  0x0899d77c in v8::internal::NumberToSize (isolate=0x9de2fc8, number=0x201c8ec9) at .././src/conversions-inl.h:162
#4  0x09764626 in v8::internal::LocalArrayBufferTracker::Process<v8::internal::ArrayBufferTracker::ProcessBuffers(v8::internal::Page*, v8::internal::ArrayBufferTracker::ProcessingMode)::$_0>(v8::internal::ArrayBufferTracker::ProcessBuffers(v8::internal::Page*, v8::internal::ArrayBufferTracker::ProcessingMode)::$_0) (this=0xa160698, callback=...) at ../src/heap/array-buffer-tracker.cc:64
#5  0x09763cb7 in v8::internal::ArrayBufferTracker::ProcessBuffers (page=0x21d00000, mode=v8::internal::ArrayBufferTracker::kUpdateForwardedRemoveOthers) at ../src/heap/array-buffer-tracker.cc:114
#6  0x08f91aba in v8::internal::MarkCompactCollector::Evacuator::EvacuatePage (this=0xa156770, page=0x21d00000) at ../src/heap/mark-compact.cc:3190
#7  0x08f915ea in v8::internal::EvacuationJobTraits::ProcessPageInParallel (heap=0x9de2fd8, evacuator=0xa156770, chunk=0x21d00000) at ../src/heap/mark-compact.cc:3272
#8  0x08f9144d in v8::internal::PageParallelJob<v8::internal::EvacuationJobTraits>::Task::RunInternal (this=0xa16c0e0) at .././src/heap/page-parallel-job.h:160
#9  0x08f0200b in v8::internal::CancelableTask::Run (this=0xa16c0e0) at .././src/cancelable-task.h:130
#10 0x08f71360 in v8::internal::PageParallelJob<v8::internal::EvacuationJobTraits>::Run<v8::internal::MarkCompactCollector::EvacuatePagesInParallel()::$_5>(int, v8::internal::MarkCompactCollector::EvacuatePagesInParallel()::$_5) (this=0xffffc1c0, num_tasks=4, per_task_data_callback=...) at .././src/heap/page-parallel-job.h:102
#11 0x08f70ab7 in v8::internal::MarkCompactCollector::EvacuatePagesInParallel (this=0x9e07b70) at ../src/heap/mark-compact.cc:3349
#12 0x08f64b10 in v8::internal::MarkCompactCollector::EvacuateNewSpaceAndCandidates (this=0x9e07b70) at ../src/heap/mark-compact.cc:3586
#13 0x08f623cf in v8::internal::MarkCompactCollector::CollectGarbage (this=0x9e07b70) at ../src/heap/mark-compact.cc:349
#14 0x08f11d99 in v8::internal::Heap::MarkCompact (this=0x9de2fd8) at ../src/heap/heap.cc:1425
#15 0x08f10234 in v8::internal::Heap::PerformGarbageCollection (this=0x9de2fd8, collector=v8::internal::MARK_COMPACTOR, gc_callback_flags=v8::kGCCallbackFlagCollectAllAvailableGarbage) at ../src/heap/heap.cc:1302
#16 0x08f0f40f in v8::internal::Heap::CollectGarbage (this=0x9de2fd8, collector=v8::internal::MARK_COMPACTOR, gc_reason=0x9c7a0ce <.L.str.349> "low memory notification", collector_reason=0x0, gc_callback_flags=v8::kGCCallbackFlagCollectAllAvailableGarbage) at ../src/heap/heap.cc:1008
#17 0x08f0ef21 in v8::internal::Heap::CollectAllAvailableGarbage (this=0x9de2fd8, gc_reason=0x9c7a0ce <.L.str.349> "low memory notification") at ../src/heap/heap.cc:899
#18 0x089a5f96 in v8::Isolate::LowMemoryNotification (this=0x9de2fc8) at ../src/api.cc:7779
#19 0x0891bc18 in v8::Shell::CollectGarbage (isolate=0x9de2fc8) at ../src/d8.cc:2081
#20 0x0891ed73 in v8::Shell::RunMain (isolate=0x9de2fc8, argc=13, argv=0xffffcb24, last_run=true) at ../src/d8.cc:2055
#21 0x0892008e in v8::Shell::Main (argc=13, argv=0xffffcb24) at ../src/d8.cc:2516
#22 0x08927b83 in main (argc=13, argv=0xffffcb24) at ../src/d8.cc:2561

(gdb) f 2
(gdb) p number
$1 = (v8::internal::Object *) 0x201c8ec9
(gdb) x/12x 0x201c8ec8
0x201c8ec8:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0x201c8ed8:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0x201c8ee8:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc

Comment 2 by mstarzinger@chromium.org, Jul 5 2016

Owner: mlippautz@chromium.org
Status: Assigned (was: Available)
Hey Michael, I was told you might be interested?

Comment 3 by mlippautz@chromium.org, Jul 5 2016

Mergedinto: 625752
Status: Duplicate (was: Assigned)
I am psyched! :)
Project Member

Comment 4 by ClusterFuzz, Jul 6 2016 

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5097450549542912

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  number->IsHeapNumber() in conversions-inl.h
  
Regressed: V8: r37501:37502

Minimized Testcase (10.59 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Znuey2QJ7qDmVioyC1h4R69suCsH_x25SlZj71vDkzJ0wzDsdpz34YQD_UGV6Sx-lNcCDQGpOER9kkdkBj8dT26iGx5XwnmcGwXItDEw1rBkkMSiURQ-4FXeqaLcDSVUdkbfqDReJYV1YPdg23aPkRwF0ZA?testcase_id=5097450549542912

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Jul 6 2016 

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5097450549542912

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  number->IsHeapNumber() in conversions-inl.h
  
Regressed: V8: r37501:37502

Minimized Testcase (10.59 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Znuey2QJ7qDmVioyC1h4R69suCsH_x25SlZj71vDkzJ0wzDsdpz34YQD_UGV6Sx-lNcCDQGpOER9kkdkBj8dT26iGx5XwnmcGwXItDEw1rBkkMSiURQ-4FXeqaLcDSVUdkbfqDReJYV1YPdg23aPkRwF0ZA?testcase_id=5097450549542912

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment