New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 643071 link

Starred by 1 user
Status: Fixed
Owner:
bmeu...@chromium.org
Closed: Sep 2016
Cc:
mlippautz@chromium.org
hpayer@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in v8::internal::NewSpace::Verify

Project Member Reported by ClusterFuzz, Sep 1 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6138775275307008

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0xdeadbeee
Crash State:
  v8::internal::NewSpace::Verify
  v8::internal::Heap::Verify
  v8::internal::Heap::GarbageCollectionPrologue
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=415049:415582

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96qQ30azSdh_3V9ODOxut1WxhnpHdcDINJlUc3x_bR8IE81BDYfZP7TCwoZHWEGkTpfjTM-9Q9ix1B4MbARtLjQ9NVBVWzEgHJT201y3Bob-k0ZsN2P9GbogGzyl8giv1GJVoLYvW2E_eU4R46HM3z_zUZIVw?testcase_id=6138775275307008
function __f_1(a) {
  var __v_1 = 1 + a;
}
function __f_0() {
  __f_1();
  var __v_0 = {x : __f_1()};
  return [__v_0];
}
try {
__f_0();
__f_0();
%OptimizeFunctionOnNextCall(__f_0);
__f_0();
} catch(e) {; }
  gc();


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, Sep 1 2016

Labels: M-54
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 1 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 1 2016

Labels: Pri-1

Comment 4 by vakh@chromium.org, Sep 1 2016

Cc: hpayer@chromium.org
Components: Blink>JavaScript>GC
Owner: mlippautz@chromium.org
Status: Assigned (was: Untriaged)

Comment 5 by mlippautz@chromium.org, Sep 2 2016

Cc: mlippautz@chromium.org
Owner: bmeu...@chromium.org
Seems to be related to allocation folding in CS as we have a hole (deadbeef) in new space that is followed with a regular map pointer a few words later.

--trace-allocation-folding shows some folded allocations. Doesn't happen with --nouse-allocation-folding.

Benedikt, if you don't have time pleas re-assign to hpayer@.

Comment 6 by mlippautz@chromium.org, Sep 2 2016 

As discussed offline, this is already fixed in 7b79224b21a23dfcd44b820c51d9f094b943b862 . Thanks!

Comment 7 by mlippautz@chromium.org, Sep 2 2016

Status: Fixed (was: Assigned)
Project Member

Comment 8 by sheriffbot@chromium.org, Sep 2 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 9 by sheriffbot@chromium.org, Dec 9 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment