Issue metadata
Sign in to add a comment
|
Crash in v8::internal::JSObject::UpdateAllocationSite |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5534114849751040 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x0fa31ecc Crash State: v8::internal::JSObject::UpdateAllocationSite v8::internal::ElementsAccessor::Concat v8::internal::ElementsAccessor::Concat Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=407363:407364 Minimized Testcase (0.18 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95WkDr1vzxrT-U5CcvHeTRftL4Dn4o75brf9Wqf0ICNaTCJLBfpY9HzTXcy0eMC49e4kQlNuzYkOv36Sdnua0fyBtucEQdtyvPJ4XY0vu4Gh0Pmtf-A2u5LjLJqnIV60cnAeGkT2X6YMs8iITy1pIfxJYO--A?testcase_id=5534114849751040 try { } catch (e) { } function __f_3(x, expected) { var __v_3 = []; __v_3.length = x; __f_3(true, 1); } try { __f_3(2147483648, 2147483648); ; } catch(e) {"Caught: " + e; } Filer: aarya See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 26 2016
,
Jul 26 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 26 2016
Reproduces on TOT (73a5db9d06051d85724b5846af3b3cb8aa97f60e) on x64.optdebug. The allocation_site() field of an AllocationMemento points to unmapped page. #0 IsAllocationSite (this=0xbed9112b0f9) at ../../src/objects-inl.h:959 #1 IsValid (this=<optimized out>) at ../../src/objects-inl.h:1780 #2 v8::internal::Heap::FindAllocationMemento<(v8::internal::Heap::FindMementoMode)0> (this=0x11b3010, object=0x2c2b59bfff91) at ../../src/heap/heap-inl.h:517 #3 0x0000000000819260 in v8::internal::JSObject::UpdateAllocationSite (object=..., to_kind=v8::internal::FAST_HOLEY_SMI_ELEMENTS) at ../../src/objects.cc:15281 #4 0x000000000067cc8d in BasicGrowCapacityAndConvertImpl (to_kind=v8::internal::FAST_HOLEY_SMI_ELEMENTS, object=..., old_elements=..., from_kind=<optimized out>, capacity=<optimized out>) at ../../src/elements.cc:856 #5 v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::FastHoleySmiElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)1> >::GrowCapacityAndConvertImpl ( object=..., capacity=<optimized out>) at ../../src/elements.cc:841 #6 0x000000000067ca3d in v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::FastHoleySmiElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)1> >::SetLengthImpl (isolate=<optimized out>, array=..., length=1, backing_store=...) at ../../src/elements.cc:727 #7 0x000000000067b421 in v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::FastHoleySmiElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)1> >::SetLength ( this=<optimized out>, array=..., length=1) at ../../src/elements.cc:682 #8 0x00000000007f971c in v8::internal::JSArray::SetLength (array=..., new_length=1) at ../../src/objects.cc:14455 #9 0x0000000000a0e987 in v8::internal::Accessors::ArrayLengthSetter (name=..., val=..., info=...) at ../../src/accessors.cc:179 #10 0x00000000007684ae in v8::internal::PropertyCallbackArguments::Call (this=0x7ffffff3da30, f=<optimized out>, name=..., value=...) at ../../src/api-arguments-inl.h:101 #11 0x0000000000764dec in v8::internal::__RT_impl_Runtime_StoreCallbackProperty (args=..., isolate=0x11b2ff0) at ../../src/ic/ic.cc:2823 #12 0x0000000000764ab0 in v8::internal::Runtime_StoreCallbackProperty (args_length=6, args_object=<optimized out>, isolate=0x11b2ff0) at ../../src/ic/ic.cc:2792 #13 0x000009a8bf7063a7 in ?? ()
,
Jul 26 2016
,
Jul 26 2016
,
Jul 26 2016
,
Jul 26 2016
Hi Michael,
This issue bisects cleanly to your CL:
Reland "[heap] Add page evacuation mode for new->new"
Adds an evacuation mode that allows moving pages within new space without
copying objects.
https://codereview.chromium.org/2078863002
It looks like there must be a way to add an allocation memento that points to a dead AllocationSite. I remember we had an issue once that we didn't scan new space until sweeping old space...and during that sweep we might have discarded allocation sites. I believe this is why we introduced the "zombie" state to the AllocationSite.
Could it be a similar problem going on for this new work?
,
Jul 27 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e97b8686f234c4f49bec8f31bd1702d6908901cc commit e97b8686f234c4f49bec8f31bd1702d6908901cc Author: mlippautz <mlippautz@chromium.org> Date: Wed Jul 27 12:16:22 2016 [heap] Don't consider mementos on pages below age mark Objects that reside below the age mark could be on pages that have been moved within new space. In this case mementos survived which can actually point to already-collected allocation sites. BUG= chromium:631050 ,chromium:581412 R=hpayer@chromium.org Review-Url: https://codereview.chromium.org/2179033005 Cr-Commit-Position: refs/heads/master@{#38094} [modify] https://crrev.com/e97b8686f234c4f49bec8f31bd1702d6908901cc/src/heap/heap-inl.h [add] https://crrev.com/e97b8686f234c4f49bec8f31bd1702d6908901cc/test/mjsunit/regress/regress-631050.js
,
Jul 27 2016
,
Jul 28 2016
,
Nov 3 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by aarya@google.com
, Jul 25 2016Labels: Pri-1
Owner: ishell@chromium.org
Status: Assigned (was: Untriaged)