Issue metadata
Sign in to add a comment
|
Crash in v8::internal::Invoke |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4615755334418432 Fuzzer: mbarbella_js_mutation Job Type: linux_v8_d8_tot Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0000ffffffff Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::Script::Run Regressed: V8: r40719:40739 Minimized Testcase (0.64 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94R_rU7FGDYg63vtDo1uWE7FMDqvJgIfk2EvaWl2GSnCQY5wNLsRWS5mWyAUGK78NIVfKS84svYmMEjWD8SlDGwL2Fu8lkzc3B-5TVSZKVGOJurx8h-k0YIyvMwWCZDv3h7uU0RtgIUheeFr3uEScxO97SBkQ?testcase_id=4615755334418432 Issue manually filed by: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 4 2016
,
Nov 4 2016
,
Nov 4 2016
Awesome, a classic one again: ... movq rax,0x100000000 cmpq [rax-0x1],rbx ... Spot the bug... :-)
,
Nov 4 2016
,
Nov 4 2016
Can be further reduced to:
----------------------------------------------------------------
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function g(v) { return v.constructor; }
g({});
g({});
function f() {
var i = 0;
do {
i = i + 1;
g(i);
} while (i < 1);
}
%OptimizeFunctionOnNextCall(f);
f();
----------------------------------------------------------------
Problem seems to be that we do not rename on CheckHeapObject for the following CheckMaps, and CheckMaps says it's fine to have MachineRepresentation::kTagged for the receiver, thus SimplifiedLowering yields a NumberConstant[1].
,
Nov 5 2016
,
Nov 5 2016
,
Nov 5 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 7 2016
,
Nov 7 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/a758c19761ce6722836363ab9a5ed4437897197c commit a758c19761ce6722836363ab9a5ed4437897197c Author: bmeurer <bmeurer@chromium.org> Date: Mon Nov 07 08:41:07 2016 [turbofan] Properly rename receiver on CheckHeapObject. We need to rename the receiver on CheckHeapObject, because we don't canonicalize numbers in SignedSmall range, and thus we the representation selection can hand out TaggedSigned values for receiver uses, even though we checked for TaggedPointerness first. Note that this is rather hacky and just intended to fix the bug ASAP. We need to think about how to deal with representations in earlier compilation stages. BUG= chromium:662410 R=jarin@chromium.org Review-Url: https://codereview.chromium.org/2485563002 Cr-Commit-Position: refs/heads/master@{#40792} [modify] https://crrev.com/a758c19761ce6722836363ab9a5ed4437897197c/src/compiler/js-builtin-reducer.cc [modify] https://crrev.com/a758c19761ce6722836363ab9a5ed4437897197c/src/compiler/js-call-reducer.cc [modify] https://crrev.com/a758c19761ce6722836363ab9a5ed4437897197c/src/compiler/js-inlining.cc [modify] https://crrev.com/a758c19761ce6722836363ab9a5ed4437897197c/src/compiler/js-native-context-specialization.cc [modify] https://crrev.com/a758c19761ce6722836363ab9a5ed4437897197c/src/compiler/js-native-context-specialization.h [add] https://crrev.com/a758c19761ce6722836363ab9a5ed4437897197c/test/mjsunit/regress/regress-crbug-662410.js
,
Nov 7 2016
,
Nov 7 2016
,
Nov 8 2016
ClusterFuzz has detected this issue as fixed in range 40786:40793. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4615755334418432 Fuzzer: mbarbella_js_mutation Job Type: linux_v8_d8_tot Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0000ffffffff Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::Script::Run Regressed: V8: r40719:40739 Fixed: V8: r40786:40793 Minimized Testcase (0.64 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94R_rU7FGDYg63vtDo1uWE7FMDqvJgIfk2EvaWl2GSnCQY5wNLsRWS5mWyAUGK78NIVfKS84svYmMEjWD8SlDGwL2Fu8lkzc3B-5TVSZKVGOJurx8h-k0YIyvMwWCZDv3h7uU0RtgIUheeFr3uEScxO97SBkQ?testcase_id=4615755334418432 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 16 2016
,
Feb 13 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mstarzinger@chromium.org
, Nov 4 2016Components: Blink>JavaScript
Reduced repro ... // Copyright 2016 the V8 project authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // Flags: --allow-natives-syntax function g(v) { v.constructor.hasOwnProperty() } g({}); g({}); function f() { var i = 0; do { i = i + 1; g(i); } while(i < 1); } %OptimizeFunctionOnNextCall(f); f();