New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 662935 link

Starred by 1 user
Status: Fixed
Owner:
littledan@chromium.org
Last visit > 30 days ago
Closed: Nov 2016
Cc:
jkummerow@chromium.org
yangguo@chromium.org
cbruni@chromium.org
hablich@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug

Blocking:
issue 662674



Sign in to add a comment

Crash: Promise handling can call into JS during stack overflow

Project Member Reported by jgruber@chromium.org, Nov 7 2016 
Version: Chrome 54.0.2829.0 (and possibly earlier) until current ToT (32105d214)

What steps will reproduce the problem?
(1) Cause a stack overflow while debugging is enabled and isolate_->GetPromiseOnStackOnThrow() is a JSObject.
(2) Let isolate_->PromiseHasUserDefinedRejectHandler call into JS.
(3) Crash since JS execution is disallowed in Isolate::StackOverflow.

An example bug report:
https://crash.corp.google.com/browse?q=reportid=%27cd3fe7c700000000%27#1

Besides the actual crash site in PromiseHasUserDefinedRejectHandler (in Debug::OnException),
the call to GetPromiseOnStackOnThrow (in Debug::OnThrow) looks like it could also cause JS execution.

More bug reports:

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Mac%27%20OMIT%20RECORD%20IF%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27v8%3A%3Ainternal%3A%3AIsolate%3A%3AStackOverflow()%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27v8%3A%3Ainternal%3A%3ADebug%3A%3AOnException(v8%3A%3Ainternal%3A%3AHandle%3Cv8%3A%3Ainternal%3A%3AObject%3E%2C%20v8%3A%3Ainternal%3A%3AHandle%3Cv8%3A%3Ainternal%3A%3AObject%3E)%27)%20%3D%200&ignore_case=false&enable_rewrite=false&omit_field_name=&omit_field_value=&omit_field_opt=

Comment 1 by yangguo@chromium.org, Nov 7 2016 

We probbly should do a stack check before calling PromiseHasUserDefinedRejectHandler. Alternatively, we could implement it in C++. But even then we would still have to guard against it being recursive and possibly causing another stack overflow in C++.

Comment 2 by yangguo@chromium.org, Nov 8 2016

Labels: -Pri-2 Pri-1
Project Member

Comment 3 by bugdroid1@chromium.org, Nov 9 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5975c47a6a0da2ed1c8b6ea3d1d5867452e0ab29

commit 5975c47a6a0da2ed1c8b6ea3d1d5867452e0ab29
Author: littledan <littledan@chromium.org>
Date: Wed Nov 09 07:52:44 2016

Avoid calling out to JS during stack overflow

If an exception is thrown when there is a Promise being created, the Promise
catch prediction code would call into a part implemented in JavaScript to see if
the Promise has a catch handler. If it is not possible to call back into JS,
e.g., due to a stack overflow, then this would lead to a crash. This patch
"speculates" that, if it's impossible to call back into JavaScript, then the
error is unhandled, avoding the issue. In a future patch, the catch prediction
logic should be entirely written in C++, but this patch adds a minimal fix to
be more friendly to backports.

BUG= chromium:662935 
R=jgruber

Review-Url: https://codereview.chromium.org/2487833002
Cr-Commit-Position: refs/heads/master@{#40851}

[modify] https://crrev.com/5975c47a6a0da2ed1c8b6ea3d1d5867452e0ab29/src/isolate.cc
[add] https://crrev.com/5975c47a6a0da2ed1c8b6ea3d1d5867452e0ab29/test/mjsunit/regress/regress-662935.js

Comment 4 by littledan@chromium.org, Nov 9 2016

Labels: Merge-Request-54 Merge-Request-55

Comment 5 by dimu@chromium.org, Nov 10 2016

Labels: -Merge-Request-54 Merge-Review-54 Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M54), manual review required.

Comment 6 by dimu@chromium.org, Nov 10 2016

Labels: -Merge-Request-55 Merge-Approved-55 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M55 (branch: 2883)
Project Member

Comment 7 by bugdroid1@chromium.org, Nov 11 2016

Labels: merge-merged-5.5
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f1101290b2830f11a8cf86fb66de234b54bee5d3

commit f1101290b2830f11a8cf86fb66de234b54bee5d3
Author: Dan Ehrenberg <littledan@chromium.org>
Date: Fri Nov 11 00:05:12 2016

Merged: Avoid calling out to JS during stack overflow

Revision: 5975c47a6a0da2ed1c8b6ea3d1d5867452e0ab29

BUG= chromium:662935 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=adamk@chromium.org

Review URL: https://codereview.chromium.org/2494903002 .

Cr-Commit-Position: refs/branch-heads/5.5@{#36}
Cr-Branched-From: 3cbd5838bd8376103daa45d69dade929ee4e0092-refs/heads/5.5.372@{#1}
Cr-Branched-From: b3c8b0ce2c9af0528837d8309625118d4096553b-refs/heads/master@{#40015}

[modify] https://crrev.com/f1101290b2830f11a8cf86fb66de234b54bee5d3/src/isolate.cc
[add] https://crrev.com/f1101290b2830f11a8cf86fb66de234b54bee5d3/test/mjsunit/regress/regress-662935.js

Comment 8 by littledan@chromium.org, Nov 11 2016

Labels: -Merge-Approved-55

Comment 9 by littledan@chromium.org, Nov 16 2016

Labels: -Hotlist-Merge-Approved
Could someone review whether this is appropriate to merge into 54?

Comment 10 by jkummerow@chromium.org, Nov 17 2016

Cc: hablich@chromium.org cbruni@chromium.org
I recommend to merge this to M54. M54 is definitely affected, and the fix is very safe and simple.

Comment 11 by hablich@chromium.org, Nov 22 2016

Blocking: 662674
Labels: -Merge-Review-54 Merge-approved-5.4
Status: Fixed (was: Assigned)
I don't think there will be another M54 push. As this bug is part of the solution for https://bugs.chromium.org/p/chromium/issues/detail?id=662674, we should still merge it though for completeness sake.

Comment 12 by jgruber@chromium.org, Nov 22 2016

Labels: -Merge-approved-5.4
Seems like this is not relevant for M54. The JS call in OnException is already handled by the fix for  crbug.com/662674 , and the GetPromiseOnStackOnThrow call in OnThrow does not yet include a JS call.

Sign in to add a comment