args[1]->IsString() in runtime-strings.cc |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4776177801887744 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: args[1]->IsString() in runtime-strings.cc Minimized Testcase (7.81 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97i5piEOWqyLEYooA7tZFOrgzbkDYwZxtmvFiDAonxa9poYDjJgaM4Xnd4mTF1JtkWtkW4yNsTIQLz3FGJoqFZpJz69rzo9j9LE8hkBPUrnoiblnuHHIKxqaNw2tuy39xBfKh2SWtvghHq5AyY1NPYfuYUXsg?testcase_id=4776177801887744 Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 14 2016
Simplified repro ...
var x = Array(100000);
function f(a) {
var sum = 0;
var outer = 100;
while (outer > 0) {
var inner = 100000;
while (inner > 0) {
sum += x;
inner--;
}
outer--;
}
return a[x];
}
f(1);
,
Jul 14 2016
This is the Hydrogen StringAddStub failing (via a deopt) and then delegating to the Runtime_StringAdd method, which assumes both inputs have already been converted. But the stub failure passes original arguments. The following is an even simpler repro ...
function f() {
var x = Array(100000);
var sum = 0;
var inner = 100000;
while (inner > 0) {
sum += x;
inner--;
}
}
f();
And this is the stub failure in question ...
[deoptimizing (DEOPT lazy): begin STUB (opt #-1) @4, FP to SP delta: 32, caller sp: 0x7ffcd2e6cf98]
reading compiler stub frame => height=3; inputs:
0: 0x20beb537ed99 ; rbx 0x20beb537ed99 <Very long string[268397317]>
1: 0x3fe1e41d3a59 ; [fp - 24] 0x3fe1e41d3a59 <JS Array[100000]>
2: 0x3fe1e41a6e39 ; [fp - 32] 0x3fe1e41a6e39 <FixedArray[180]>
translating StringAddStub => StubFailureTrampolineStub, height=16
0x7ffcd2e6cf90: [top + 56] <- 0x39452f8747bf ; caller's pc
0x7ffcd2e6cf88: [top + 48] <- 0x7ffcd2e6cfb8 ; caller's fp
0x7ffcd2e6cf80: [top + 40] <- 0xb00000000 ; function (stub failure sentinel)
0x7ffcd2e6cf78: [top + 32] <- 0x7ffcd2e6cf90 ; args.arguments
0x7ffcd2e6cf70: [top + 24] <- 0x00000000 ; args.length
0x7ffcd2e6cf68: [top + 16] <- 0x7ffcd2e6cf70 ; args*
0x7ffcd2e6cf60: [top + 8] <- 0x20beb537ed99 ; 0x20beb537ed99 <Very long string[268397317]> (input #0)
0x7ffcd2e6cf58: [top + 0] <- 0x3fe1e41d3a59 ; 0x3fe1e41d3a59 <JS Array[100000]> (input #1)
[deoptimizing (lazy): end STUB @4 => node=6, pc=0x39452f830520, caller sp=0x7ffcd2e6cf98, state=NO_REGISTERS, took 0.212 ms]
,
Jul 14 2016
Even simpler repro:
var x = "1".repeat(32 * 1024 * 1024);
for (var z = x;;) z += {toString: function() { return x; }};
,
Jul 14 2016
,
Jul 14 2016
Issue v8:5200 has been merged into this issue.
,
Jul 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6530a16eb5b7ccfd4cbcda105035f2c4c27295db commit 6530a16eb5b7ccfd4cbcda105035f2c4c27295db Author: bmeurer <bmeurer@chromium.org> Date: Thu Jul 14 11:44:53 2016 [stubs] Properly handle length overflow in StringAddStub. Using the Hydrogen code stub bailout mechanism is not correct for the string length overflow check in the StringAddStub. Instead make sure we just throw the proper exception. R=mstarzinger@chromium.org BUG= chromium:627934 Review-Url: https://codereview.chromium.org/2146353002 Cr-Commit-Position: refs/heads/master@{#37758} [modify] https://crrev.com/6530a16eb5b7ccfd4cbcda105035f2c4c27295db/src/crankshaft/hydrogen.cc [modify] https://crrev.com/6530a16eb5b7ccfd4cbcda105035f2c4c27295db/src/runtime/runtime-internal.cc [modify] https://crrev.com/6530a16eb5b7ccfd4cbcda105035f2c4c27295db/src/runtime/runtime.h [add] https://crrev.com/6530a16eb5b7ccfd4cbcda105035f2c4c27295db/test/mjsunit/regress/regress-crbug-627934.js
,
Jul 14 2016
ClusterFuzz has detected this issue as fixed in range 37757:37758. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4776177801887744 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: args[1]->IsString() in runtime-strings.cc Regressed: V8: r37703:37704 Fixed: V8: r37757:37758 Minimized Testcase (7.81 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97i5piEOWqyLEYooA7tZFOrgzbkDYwZxtmvFiDAonxa9poYDjJgaM4Xnd4mTF1JtkWtkW4yNsTIQLz3FGJoqFZpJz69rzo9j9LE8hkBPUrnoiblnuHHIKxqaNw2tuy39xBfKh2SWtvghHq5AyY1NPYfuYUXsg?testcase_id=4776177801887744 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 15 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mstarzinger@chromium.org
, Jul 13 2016