Issue 634775 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	█ hpayer@chromium.org Last visit > 30 days ago
Closed:	Dec 2016
Cc:	mlippautz@chromium.org mstarzinger@chromium.org u...@chromium.org
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Reproducible Stability-Memory-AddressSanitizer Clusterfuzz

Crash in v8::internal::Heap::CreateFillerObjectAt

Project Member Reported by ClusterFuzz, Aug 5 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5218196842086400

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::Heap::CreateFillerObjectAt
  v8::internal::SeqString::Truncate
  v8::internal::Handle<v8::internal::String> v8::internal::JsonParser<false>::Slow
  

Minimized Testcase (6.15 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94jxSTvIgcjAyM8nK1b_CcNSDuw-wtOvt5BaOPfc_tW9mXk8dZVWI949hqbrhk1B7Bmo9wX-1rdpWyVAVbbkukgxTaNAd9sLcOvqHuKRUSh7lkzSfZbvkpBLG0lxQcmcmXToXQQgsUrNQ15G_7xFdJH94qQvQ?testcase_id=5218196842086400

Issue manually filed by: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by hablich@chromium.org, Aug 8 2016

Status: Available (was: Untriaged)

Comment 2 Deleted

Comment 3 by ishell@chromium.org, Nov 20 2016

It fails in FreeSpace::cast(HeapObject* o) at 
  SLOW_DCHECK(!o->GetHeap()->deserialization_complete() || o->IsFreeSpace());
because {o} is a free space filler in LO_SPACE and GetHeap() returns garbage in this case.

Maybe we should have not called CreateFillerObjectAt() from SeqString::Truncate() for strings in LO_SPACE.


Reproduces on ToT:

out/x64.debug/d8 --predictable --enable-slow-asserts mutant9361_regress-3976.js

Call stack:

#0  v8::internal::Heap::deserialization_complete (this=0x426042b0425042c) at .././src/heap/heap.h:929
#1  0x00000000013da930 in v8::internal::FreeSpace::cast (o=0x5ee877991f9) at .././src/objects-inl.h:3660
#2  0x00000000013c3a90 in v8::internal::Heap::CreateFillerObjectAt (this=0x25e7f80, addr=0x5ee877991f8 "\001\"\350!1\037", size=80, mode=v8::internal::ClearRecordedSlots::kNo, black_area_mode=v8::internal::ClearBlackArea::kYes) at ../src/heap/heap.cc:3060
#3  0x000000000159c72b in v8::internal::SeqString::Truncate (string=..., new_length=571374) at ../src/objects.cc:12048
#4  0x0000000001501ad7 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=0, end=524288) at ../src/json-parser.cc:705
#5  0x00000000015017c1 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=0, end=262144) at ../src/json-parser.cc:632
#6  0x00000000015017c1 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=0, end=131072) at ../src/json-parser.cc:632
#7  0x00000000015017c1 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=0, end=65536) at ../src/json-parser.cc:632
#8  0x00000000015017c1 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=0, end=32768) at ../src/json-parser.cc:632
#9  0x00000000015017c1 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=0, end=16384) at ../src/json-parser.cc:632
#10 0x00000000015017c1 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=0, end=8192) at ../src/json-parser.cc:632
#11 0x00000000015017c1 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=0, end=4096) at ../src/json-parser.cc:632
#12 0x00000000015017c1 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=0, end=2048) at ../src/json-parser.cc:632
#13 0x00000000015017c1 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=0, end=1024) at ../src/json-parser.cc:632
#14 0x00000000015017c1 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=0, end=512) at ../src/json-parser.cc:632
#15 0x00000000015017c1 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=0, end=256) at ../src/json-parser.cc:632
#16 0x00000000015017c1 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=0, end=128) at ../src/json-parser.cc:632
#17 0x00000000015017c1 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=0, end=64) at ../src/json-parser.cc:632
#18 0x00000000015017c1 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=0, end=32) at ../src/json-parser.cc:632
#19 0x00000000015017c1 in v8::internal::JsonParser<false>::SlowScanJsonString<v8::internal::SeqTwoByteString, unsigned short> (this=0x7fffffffc200, prefix=..., start=1, end=1) at ../src/json-parser.cc:632
#20 0x00000000014fdba0 in v8::internal::JsonParser<false>::ScanJsonString<false> (this=0x7fffffffc200) at ../src/json-parser.cc:787
#21 0x00000000014fda65 in v8::internal::JsonParser<false>::ParseJsonString (this=0x7fffffffc200) at .././src/json-parser.h:78
#22 0x00000000014fd646 in v8::internal::JsonParser<false>::ParseJsonValue (this=0x7fffffffc200) at ../src/json-parser.cc:257
#23 0x00000000014fd13f in v8::internal::JsonParser<false>::ParseJson (this=0x7fffffffc200) at ../src/json-parser.cc:124
#24 0x0000000000f4585f in v8::internal::JsonParser<false>::Parse (isolate=0x25e7f60, source=..., reviver=...) at .././src/json-parser.h:43
#25 0x00000000019ce5d6 in v8::internal::Builtin_Impl_JsonParse (args=..., isolate=0x25e7f60) at ../src/builtins/builtins-json.cc:23
#26 0x00000000019ce24a in v8::internal::Builtin_JsonParse (args_length=5, args_object=0x7fffffffc440, isolate=0x25e7f60) at ../src/builtins/builtins-json.cc:15
#27 0x000009a8bf504167 in ?? ()
#28 0x00002b9e02b83b01 in ?? ()

Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 5 by ClusterFuzz, Dec 22 2016

Status: WontFix (was: Assigned)

ClusterFuzz testcase 5218196842086400 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

►

Issue 634775 link

Issue metadata

Crash in v8::internal::Heap::CreateFillerObjectAt

Issue description

Comment 1 by hablich@chromium.org, Aug 8 2016

Comment 1 Deleted

Comment 2 Deleted

Comment 3 by ishell@chromium.org, Nov 20 2016

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Comment 4 Deleted

Comment 5 by ClusterFuzz, Dec 22 2016

Comment 5 Deleted

Sign in to add a comment