Crash in v8::Function::ScriptId |
||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5893489026138112 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_chrome_v8_ignition Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: v8::Function::ScriptId blink::V8ScriptRunner::callFunction extensions::ScriptContext::CallFunction Regressed: V8: r40408:40413 Minimized Testcase (0.11 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv962sVqdvoCkrHnqOoYfYWTYrveLOp3ZthYavmt3ub8xo7xtaaBOnEC2aALfvRE0oObs3lWleVCoDE88lVy2nOAPN2iv0SdP59zB8hMR8bY2qQbD5OP0zLW_QHj0vnwhPqh-lNBmLDvrHmuo1Iq9Fo78A51u7g?testcase_id=5893489026138112 <script> try { __f_73(); } catch(e) { print(); } </script> <iframe src="data:application/pdf;base64,"> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 20 2016
,
Oct 20 2016
jochen - I'm not entirely sure this is extensions. So, a few things: - Yes, this calls executeFunctionEvenIfScriptDisabled, which is bad, and will be fixed by my work in issue 629431 . - Converting this particular call to use the safe calling method postpones the crash until after the print preview is done - But then it still crashes. The way this crash is happening and the fact that clusterfuzz has a regression range in v8 (and the extensions code in question hasn't changed recently at all) makes me think that maybe this is actually a v8 bug? (The calling extension function should and will be fixed, but I don't think it's the culprit here.) WDYT?
,
Oct 21 2016
ClusterFuzz has detected this issue as fixed in range 40446:40456. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5893489026138112 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_chrome_v8_ignition Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: v8::Function::ScriptId blink::V8ScriptRunner::callFunction extensions::ScriptContext::CallFunction Regressed: V8: r40408:40413 Fixed: V8: r40446:40456 Minimized Testcase (0.11 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv962sVqdvoCkrHnqOoYfYWTYrveLOp3ZthYavmt3ub8xo7xtaaBOnEC2aALfvRE0oObs3lWleVCoDE88lVy2nOAPN2iv0SdP59zB8hMR8bY2qQbD5OP0zLW_QHj0vnwhPqh-lNBmLDvrHmuo1Iq9Fo78A51u7g?testcase_id=5893489026138112 <script> try { __f_73(); } catch(e) { print(); } </script> <iframe src="data:application/pdf;base64,"> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 21 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 21 2016
ok, strangely enough kozyatinskiy's change is both in the regression and in the fixed range (as revert), so I guess it's that
,
Oct 26 2016
1) Observing similar Crashes on recent Windows canary with 4 crash instances from 4 different client Ids.Hence re-opening the issue. 2) Link to list of builds where crashes are seen: https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8%3A%3AFunction%3A%3AScriptId%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,productversion:1000 3) Stack trace: Thread 0 CRASHED [EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000000 ] MAGIC SIGNATURE THREAD 0x00007ffe4b54ca22 (chrome_child.dll -api.cc:5065 ) v8::Function::ScriptId() 0x00007ffe4b54c3ab (chrome_child.dll -v8scriptrunner.cpp:636 ) blink::V8ScriptRunner::callFunction(v8::Local<v8::Function>,blink::ExecutionContext *,v8::Local<v8::Value>,int,v8::Local<v8::Value> * const,v8::Isolate *) 0x00007ffe4bcbde71 (chrome_child.dll -weblocalframeimpl.cpp:846 ) blink::WebLocalFrameImpl::callFunctionEvenIfScriptDisabled(v8::Local<v8::Function>,v8::Local<v8::Value>,int,v8::Local<v8::Value> * const) 0x00007ffe4c6b2f5d (chrome_child.dll -script_context.cc:200 ) extensions::ScriptContext::CallFunction(v8::Local<v8::Function> const &,int,v8::Local<v8::Value> * const) 0x00007ffe4c6aeb62 (chrome_child.dll -module_system.cc:317 ) extensions::ModuleSystem::CallModuleMethod(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,int,v8::Local<v8::Value> * const) 0x00007ffe4c6ad108 (chrome_child.dll -messaging_bindings.cc:166 ) extensions::`anonymous namespace'::DispatchOnConnectToScriptContext 0x00007ffe4c6ae014 (chrome_child.dll -bind_internal.h:339 ) base::internal::Invoker<base::internal::BindState<void (*)(int,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,ExtensionMsg_TabConnectionInfo const *,ExtensionMsg_ExternalConnectionInfo const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,bool *,extensions::ScriptContext *),int,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,ExtensionMsg_TabConnectionInfo const *,ExtensionMsg_ExternalConnectionInfo,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,bool *>,void >::Run(base::internal::BindStateBase *,extensions::ScriptContext * &&) 0x00007ffe4c0ef7f2 (chrome_child.dll -script_context_set.cc:122 ) extensions::ScriptContextSet::ForEach(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::RenderFrame *,base::Callback<void ,1,1> const &) 0x00007ffe4c6accc8 (chrome_child.dll -messaging_bindings.cc:306 ) extensions::MessagingBindings::DispatchOnConnect(extensions::ScriptContextSet const &,int,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,ExtensionMsg_TabConnectionInfo const &,ExtensionMsg_ExternalConnectionInfo const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::RenderFrame *) 0x00007ffe4c6a3cdd (chrome_child.dll -extension_frame_helper.cc:301 ) extensions::ExtensionFrameHelper::OnExtensionDispatchOnConnect(int,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,ExtensionMsg_TabConnectionInfo const &,ExtensionMsg_ExternalConnectionInfo const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &) 0x00007ffe4c6a2b3d (chrome_child.dll -ipc_message_templates.h:121 ) IPC::MessageT<ExtensionMsg_DispatchOnConnect_Meta,std::tuple<int,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,ExtensionMsg_TabConnectionInfo,ExtensionMsg_ExternalConnectionInfo,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,void>::Dispatch<extensions::ExtensionFrameHelper,extensions::ExtensionFrameHelper,void,void ( extensions::ExtensionFrameHelper::*)(int,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,ExtensionMsg_TabConnectionInfo const &,ExtensionMsg_ExternalConnectionInfo const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)>(IPC::Message const *,extensions::ExtensionFrameHelper *,extensions::ExtensionFrameHelper *,void *,void ( extensions::ExtensionFrameHelper::*)(int,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,ExtensionMsg_TabConnectionInfo const &,ExtensionMsg_ExternalConnectionInfo const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)) 0x00007ffe4bfbffd2 (chrome_child.dll -extension_frame_helper.cc:272 ) extensions::ExtensionFrameHelper::OnMessageReceived(IPC::Message const &) 0x00007ffe4b75a824 (chrome_child.dll -render_frame_impl.cc:1517 ) content::RenderFrameImpl::OnMessageReceived(IPC::Message const &) 0x00007ffe4b7b07a0 (chrome_child.dll -message_router.cc:56 ) IPC::MessageRouter::RouteMessage(IPC::Message const &) 0x00007ffe4b7b0544 (chrome_child.dll -child_thread_impl.cc:760 ) content::ChildThreadImpl::OnMessageReceived(IPC::Message const &) 0x00007ffe4b7b042b (chrome_child.dll -ipc_channel_proxy.cc:339 ) IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &) 0x00007ffe4b4080e9 (chrome_child.dll -task_annotator.cc:52 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *) 0x00007ffe4b4073e8 (chrome_child.dll -task_queue_manager.cc:358 ) blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue *) 0x00007ffe4b3df6f4 (chrome_child.dll -task_queue_manager.cc:250 ) blink::scheduler::TaskQueueManager::DoWork(base::TimeTicks,bool) 0x00007ffe4b3e0fc2 (chrome_child.dll -bind_internal.h:339 ) base::internal::Invoker<base::internal::BindState<void ( blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void >::Run(base::internal::BindStateBase *) 0x00007ffe4b4080e9 (chrome_child.dll -task_annotator.cc:52 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *) 0x00007ffe4b4070b3 (chrome_child.dll -message_loop.cc:413 ) base::MessageLoop::RunTask(base::PendingTask *) 0x00007ffe4b4069a4 (chrome_child.dll -message_loop.cc:515 ) base::MessageLoop::DoWork() 0x00007ffe4b4066c8 (chrome_child.dll -message_pump_default.cc:35 ) base::MessagePumpDefault::Run(base::MessagePump::Delegate *) 0x00007ffe4b6a89b6 (chrome_child.dll -run_loop.cc:35 ) base::RunLoop::Run() 0x00007ffe4d3b231d (chrome_child.dll -ppb_flash_message_loop_impl.cc:94 ) content::PPB_Flash_MessageLoop_Impl::InternalRun(base::Callback<void ,1,1> const &) 0x00007ffe4cba1707 (chrome_child.dll -ppb_flash_message_loop_proxy.cc:143 ) ppapi::proxy::PPB_Flash_MessageLoop_Proxy::OnMsgRun(ppapi::HostResource const &,IPC::Message *) 0x00007ffe4cba1184 (chrome_child.dll -ipc_message_templates.h:196 ) IPC::MessageT<PpapiHostMsg_PPBFlashMessageLoop_Run_Meta,std::tuple<ppapi::HostResource>,std::tuple<int> >::DispatchDelayReply<ppapi::proxy::PPB_Flash_MessageLoop_Proxy,void,void ( ppapi::proxy::PPB_Flash_MessageLoop_Proxy::*)(ppapi::HostResource const &,IPC::Message *)>(IPC::Message const *,ppapi::proxy::PPB_Flash_MessageLoop_Proxy *,void *,void ( ppapi::proxy::PPB_Flash_MessageLoop_Proxy::*)(ppapi::HostResource const &,IPC::Message *)) 0x00007ffe4cba151c (chrome_child.dll -ppb_flash_message_loop_proxy.cc:110 ) ppapi::proxy::PPB_Flash_MessageLoop_Proxy::OnMessageReceived(IPC::Message const &) 0x00007ffe4cb761d5 (chrome_child.dll -dispatcher.cc:70 ) ppapi::proxy::Dispatcher::OnMessageReceived(IPC::Message const &) 0x00007ffe4cba661e (chrome_child.dll -host_dispatcher.cc:206 ) ppapi::proxy::HostDispatcher::OnMessageReceived(IPC::Message const &) 0x00007ffe4b7b042b (chrome_child.dll -ipc_channel_proxy.cc:339 ) IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &) 0x00007ffe4c05c7b2 (chrome_child.dll -ipc_sync_channel.cc:185 ) IPC::SyncChannel::ReceivedSyncMsgQueue::DispatchMessages(IPC::SyncChannel::SyncContext *) 0x00007ffe4b4080e9 (chrome_child.dll -task_annotator.cc:52 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *) 0x00007ffe4b4073e8 (chrome_child.dll -task_queue_manager.cc:358 ) blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue *) 0x00007ffe4b3df6f4 (chrome_child.dll -task_queue_manager.cc:250 ) blink::scheduler::TaskQueueManager::DoWork(base::TimeTicks,bool) 0x00007ffe4b3e0fc2 (chrome_child.dll -bind_internal.h:339 ) base::internal::Invoker<base::internal::BindState<void ( blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void >::Run(base::internal::BindStateBase *) 0x00007ffe4b4080e9 (chrome_child.dll -task_annotator.cc:52 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *) 0x00007ffe4b4070b3 (chrome_child.dll -message_loop.cc:413 ) base::MessageLoop::RunTask(base::PendingTask *) 0x00007ffe4b406c70 (chrome_child.dll -message_loop.cc:554 ) base::MessageLoop::DoDelayedWork(base::TimeTicks *) 0x00007ffe4b4066e6 (chrome_child.dll -message_pump_default.cc:39 ) base::MessagePumpDefault::Run(base::MessagePump::Delegate *) 0x00007ffe4b6a89b6 (chrome_child.dll -run_loop.cc:35 ) base::RunLoop::Run() 0x00007ffe4bac77ac (chrome_child.dll -renderer_main.cc:198 ) content::RendererMain(content::MainFunctionParams const &) 0x00007ffe4b771857 (chrome_child.dll -content_main_runner.cc:408 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 0x00007ffe4b771ab9 (chrome_child.dll -content_main_runner.cc:776 ) content::ContentMainRunnerImpl::Run() 0x00007ffe4b7719e8 (chrome_child.dll -content_main.cc:20 ) content::ContentMain(content::ContentMainParams const &) 0x00007ffe4b7713ba (chrome_child.dll -chrome_main.cc:97 ) ChromeMain 0x00007ff74b7d7628 (chrome.exe -main_dll_loader_win.cc:174 ) MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks) 0x00007ff74b7d20b0 (chrome.exe -chrome_exe_main_win.cc:247 ) wWinMain 0x00007ff74b861372 (chrome.exe -exe_common.inl:253 ) __scrt_common_main_seh 0x00007ffe8322ef43 (KERNEL32.DLL + 0x0000ef43 ) BaseThreadInitThunk 0x00007ffe8555ddd0 (ntdll.dll + 0x0006ddd0 ) RtlUserThreadStart 4) Please let us know if its not related to this issue and need to raise separately.
,
Oct 26 2016
Users experienced this crash on the following builds: Win Canary 56.0.2900.0 - 0.53 CPM, 6 reports, 6 clients (signature v8::Function::ScriptId) Mac Dev 56.0.2897.0 - 0.49 CPM, 4 reports, 4 clients (signature v8::Function::ScriptId) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Nov 16 2016
Latest crash rates on all channels 56.0.2920.0 0.03% 3 56.0.2914.3 1.10% 128 55.0.2883.44 0.02% 2 54.0.2840.99 0.37% 43 Link to the list of builds https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8%3A%3AFunction%3A%3AScriptId%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,productversion:1000 seeing more number of crashes on latest dev.hence adding blocker label. Please remove if not required. kozyatinskiy@ Could you please look into this issue. Thnaks,
,
Nov 21 2016
Users experienced this crash on the following builds: Win Dev 56.0.2922.1 - 0.23 CPM, 28 reports, 25 clients (signature v8::Function::ScriptId) Mac Dev 56.0.2922.1 - 0.67 CPM, 2 reports, 2 clients (signature v8::Function::ScriptId) Mac Canary 57.0.2926.0 - 0.52 CPM, 1 reports, 1 clients (signature v8::Function::ScriptId) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 23 2016
The crash still exist in latest Dev-56.0.2924.3 and canary-57.0.2929.1. Please investigate.
,
Nov 28 2016
M56 beta launch is next week.Your bug is labelled as Release Block beta, please make sure to land the fix by the first week of December.
,
Nov 29 2016
Just to update,Below are the crash rates on all latest channels 57.0.2935.0 0.01% 1 latest canary 56.0.2924.3 1.44% 163 latest dev 55.0.2883.59 0.04% 4 latest beta 54.0.2840.99 3.85% 436 latest stable Link to the list of builds https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8%3A%3AFunction%3A%3AScriptId%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,productversion:1000
,
Dec 1 2016
https://codereview.chromium.org/2546853002/ I'm not sure that mentioned my CL (that was applied and reverted) is related to last crashes, I've uploaded a CL that will fix it but I'm not sure that it is solving the root of issue.
,
Dec 1 2016
Thanks for the investigation. M56 Beta promotion is scheduled on Dec 06 , please make sure to get this crash resolved ASAP.
,
Dec 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/dedd489499fb5b7b47fdd29fef13ffaee2f42dcd commit dedd489499fb5b7b47fdd29fef13ffaee2f42dcd Author: kozyatinskiy <kozyatinskiy@chromium.org> Date: Thu Dec 01 23:06:53 2016 [extensions] added checks that function is not empty ModuleSystem::GetModuleFunction function can return empty v8::Local<v8::Function> if condition in first if inside of this function is false. Then invocation of any methods on this local object will produce a crash, e.g. crbug.com/657561 . BUG= 657561 R=rdevlin.cronin@chromium.org Review-Url: https://codereview.chromium.org/2546853002 Cr-Commit-Position: refs/heads/master@{#435750} [modify] https://crrev.com/dedd489499fb5b7b47fdd29fef13ffaee2f42dcd/extensions/renderer/module_system.cc
,
Dec 1 2016
,
Dec 2 2016
Your change meets the bar and is auto-approved for M56 (branch: 2924)
,
Dec 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3bfdb9a43a060b4c938331d9e397c97a1f0a6c5d commit 3bfdb9a43a060b4c938331d9e397c97a1f0a6c5d Author: Alexey Kozyatinskiy <kozyatinskiy@chromium.org> Date: Sat Dec 03 17:27:51 2016 [extensions] added checks that function is not empty ModuleSystem::GetModuleFunction function can return empty v8::Local<v8::Function> if condition in first if inside of this function is false. Then invocation of any methods on this local object will produce a crash, e.g. crbug.com/657561 . BUG= 657561 R=rdevlin.cronin@chromium.org Review-Url: https://codereview.chromium.org/2546853002 Cr-Commit-Position: refs/heads/master@{#435750} (cherry picked from commit dedd489499fb5b7b47fdd29fef13ffaee2f42dcd) Review URL: https://codereview.chromium.org/2552533002 . Cr-Commit-Position: refs/branch-heads/2924@{#316} Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059} [modify] https://crrev.com/3bfdb9a43a060b4c938331d9e397c97a1f0a6c5d/extensions/renderer/module_system.cc |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by mmohammad@chromium.org
, Oct 19 2016Status: Assigned (was: Untriaged)