New issue
Advanced search Search tips

Issue 627449 link

Starred by 1 user
Status: Duplicate
Merged: issue 631050
Owner:
mlippautz@chromium.org
Closed: Jul 2016
Cc:
mvstan...@chromium.org
ishell@chromium.org
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Crash in v8::internal::JSObject::UpdateAllocationSite

Project Member Reported by ClusterFuzz, Jul 12 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5657306247462912

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x2570b724
Crash State:
  v8::internal::JSObject::UpdateAllocationSite
  v8::internal::JSObject::TransitionElementsKind
  v8::internal::LookupIterator::PrepareForDataProperty
  
Recommended Security Severity: Low

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=403853:403869

Minimized Testcase (17.80 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Jo4cSyGMj7pKpe6lT8li8EilJDv-U9HVMSEQOwDvCc1GsC7yyROGnUhXe4bKH7Tcmuru2nTpFDwQvaesMvioOEGOvO5ZzcjEI-0kMbNE6y9E3302i3bxPrdpn_nwk-WBs3KNH1fpGN2AGEl6fPZ_HNzUwNxMjdLEnv7ARimQmYGv2HG4?testcase_id=5657306247462912

Additional requirements: Requires Gestures

Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmoroz@chromium.org, Jul 12 2016

Owner: mvstan...@chromium.org
Looks similar to  bug 284577 . Not sure how actual this one is because of interaction gestures.

Comment 2 by mmoroz@chromium.org, Jul 12 2016

Labels: Pri-3
Project Member

Comment 3 by sheriffbot@chromium.org, Jul 12 2016

Labels: -Pri-3 Pri-2
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 12 2016

Status: Assigned (was: Available)

Comment 5 by mvstan...@chromium.org, Jul 26 2016

Cc: mvstan...@chromium.org
Labels: -ClusterFuzz Clusterfuzz
Owner: mlippautz@chromium.org
Hi Michael,
This issue bisects cleanly to your CL:

Reland "[heap] Add page evacuation mode for new->new"

Adds an evacuation mode that allows moving pages within new space without
    copying objects.
https://codereview.chromium.org/2078863002


It looks like there must be a way to add an allocation memento that points to a dead AllocationSite. I remember we had an issue once that we didn't scan new space until sweeping old space...and during that sweep we might have discarded allocation sites. I believe this is why we introduced the "zombie" state to the AllocationSite.

Could it be a similar problem going on for this new work?

Comment 6 by mlippautz@chromium.org, Jul 27 2016

Mergedinto: 631050
Status: Duplicate (was: Assigned)
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 4 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment