Issue metadata
Sign in to add a comment
|
Missing hole check in computed property names
Reported by
andrebar...@googlemail.com,
Nov 29 2016
|
||||||||||||||||||||||
Issue descriptionv8 - version: b1b7d19610414e756bb22bfafb1759c66e20e233 OS: Ubuntu 16.04 Architecture: x64 What steps will reproduce the problem? 1. Run the following script in d8: --- var it; function fn ({[{ toString: (it = function*() { yield* eval("p"); }(), it.next.bind(it)) }]: p}) {} fn({}); --- What is the expected output? No crash What do you see instead? Stacktrace (bbbbbbbb-bbbbbbbb) 0x118c56082351 (nil): ==== JS stack trace ========================================= Security context: 0xb88b05a61c9 <JS Object>#0# 2: /* anonymous */ [/tmp/t.js:4] [bytecode=0xb88b05aa991 offset=191](this=0x56177283239 <JS Global Object>#1#) 3: next(this=0x561772892f1 <JS Generator>#2#,0x118c56082311 <undefined>) 4: arguments adaptor frame: 0->1 9: fn [/tmp/t.js:5] [bytecode=0xb88b05aae01 offset=102](this=0x56177283239 <JS Global Object>#1#,/* anonymous */=0x56177288da9 <an Object with map 0x149579e83179>#3#) 10: /* anonymous */ [/tmp/t.js:8] [pc=0x2b61cf68529a](this=0x56177283239 <JS Global Object>#1#) ==== Details ================================================ [2]: /* anonymous */ [/tmp/t.js:4] [bytecode=0xb88b05aa991 offset=191](this=0x56177283239 <JS Global Object>#1#) { // heap-allocated locals var this = 0x56177283239 <JS Global Object>#1# var .new.target = 0x118c56082311 <undefined> var .generator_object = 0x561772892f1 <JS Generator>#2# var /* anonymous */ = 0x118c56082311 <undefined> var /* anonymous */ = 0 var /* anonymous */ = 0x118c56082311 <undefined> var /* anonymous */ = 0x118c56082311 <undefined> var /* anonymous */ = 0x118c56082311 <undefined> var /* anonymous */ = 0x118c56082311 <undefined> var /* anonymous */ = 0x118c56082311 <undefined> var .result = 0x118c56082311 <undefined> var arguments = 0x56177288fb9 <an Arguments with map 0x149579e87321>#4# // expression stack (top to bottom) [16] : 74 [15] : 54 [14] : 0 [13] : 0x56177288ee1 <JS Function (SharedFunctionInfo 0xb88b05aa719)>#5# [12] : 0x118c560892c1 <String[1]: p> [11] : 0xb88b05959b9 <JS Function eval (SharedFunctionInfo 0x118c560e68c1)>#6# [10] : 0x118c560892c1 <String[1]: p> [09] : 0x118c56082311 <undefined> [08] : 0x56177289c39 <JS Function (SharedFunctionInfo 0xb88b05ab709)>#7# [07] : 0x118c56082351 <the hole> [06] : 0x561772892f1 <JS Generator>#2# [05] : 0x56177288f29 <FixedArray[16]>#8# [04] : 0x118c56082311 <undefined> [03] : 0x118c56082311 <undefined> [02] : -2 [01] : 0x118c56082311 <undefined> [00] : 0x56177288df1 <FixedArray[8]>#9# --------- s o u r c e c o d e --------- function () {\x0a yield* eval("p");\x0a } ----------------------------------------- } [3]: next(this=0x561772892f1 <JS Generator>#2#,0x118c56082311 <undefined>) { // optimized frame --------- s o u r c e c o d e --------- <No Source> ----------------------------------------- } [4]: arguments adaptor frame: 0->1 { } [9]: fn [/tmp/t.js:5] [bytecode=0xb88b05aae01 offset=102](this=0x56177283239 <JS Global Object>#1#,/* anonymous */=0x56177288da9 <an Object with map 0x149579e83179>#3#) { // stack-allocated locals var /* anonymous */ = 0x56177288da9 <an Object with map 0x149579e83179>#3# // heap-allocated locals var this = 0x56177283239 <JS Global Object>#1# var .new.target = 0x118c56082311 <undefined> var p = 0x118c56082351 <the hole> var arguments = 0x56177288e59 <an Arguments with map 0x149579e87dc9>#10# // expression stack (top to bottom) [07] : 0x561772892f1 <JS Generator>#2# [06] : 0x561772892f1 <JS Generator>#2# [05] : 0xb88b059d781 <JS Function next (SharedFunctionInfo 0x118c560c8c41)>#11# [04] : 0xb88b0590b59 <JS Function bind (SharedFunctionInfo 0x118c560cbbf9)>#12# [03] : 0x56177288eb1 <an Object with map 0x149579e8c391>#13# [02] : 0x118c56082311 <undefined> [01] : 0xb88b0583bf9 <FixedArray[242]>#14# --------- s o u r c e c o d e --------- function fn({[{\x0a toString: (it = function*() {\x0a yield* eval("p");\x0a }(), it.next.bind(it))\x0a}]: p}) {} ----------------------------------------- } [10]: /* anonymous */ [/tmp/t.js:8] [pc=0x2b61cf68529a](this=0x56177283239 <JS Global Object>#1#) { // stack-allocated locals var .result = 0x118c56082311 <undefined> // expression stack (top to bottom) [03] : 0x56177288da9 <an Object with map 0x149579e83179>#3# [02] : 0x56177283239 <JS Global Object>#1# [01] : 0xb88b05aa359 <JS Function fn (SharedFunctionInfo 0xb88b05aa019)>#15# --------- s o u r c e c o d e --------- var it;\x0afunction fn ({[{\x0a toString: (it = function*() {\x0a yield* eval("p");\x0a }(), it.next.bind(it))\x0a}]: p}) {}\x0a\x0afn({});\x0a ----------------------------------------- } ==== Key ============================================ #0# 0xb88b05a61c9: 0xb88b05a61c9 <JS Object> #1# 0x56177283239: 0x56177283239 <JS Global Object> #2# 0x561772892f1: 0x561772892f1 <JS Generator> #3# 0x56177288da9: 0x56177288da9 <an Object with map 0x149579e83179> #4# 0x56177288fb9: 0x56177288fb9 <an Arguments with map 0x149579e87321> length: 0 callee: 0x56177288ee1 <JS Function (SharedFunctionInfo 0xb88b05aa719)>#5# #5# 0x56177288ee1: 0x56177288ee1 <JS Function (SharedFunctionInfo 0xb88b05aa719)> #6# 0xb88b05959b9: 0xb88b05959b9 <JS Function eval (SharedFunctionInfo 0x118c560e68c1)> #7# 0x56177289c39: 0x56177289c39 <JS Function (SharedFunctionInfo 0xb88b05ab709)> #8# 0x56177288f29: 0x56177288f29 <FixedArray[16]> 0: 0x56177288ee1 <JS Function (SharedFunctionInfo 0xb88b05aa719)>#5# 1: 0x56177288df1 <FixedArray[8]>#9# 3: 0xb88b0583bf9 <FixedArray[242]>#14# 4: 0x56177283239 <JS Global Object>#1# 5: 0x118c56082311 <undefined> 6: 0x561772892f1 <JS Generator>#2# 7: 0x118c56082311 <undefined> 8: 0 9: 0x118c56082311 <undefined> ... #9# 0x56177288df1: 0x56177288df1 <FixedArray[8]> 0: 0xb88b05aa359 <JS Function fn (SharedFunctionInfo 0xb88b05aa019)>#15# 1: 0xb88b0583bf9 <FixedArray[242]>#14# 3: 0xb88b0583bf9 <FixedArray[242]>#14# 4: 0x56177283239 <JS Global Object>#1# 5: 0x118c56082311 <undefined> 7: 0x56177288e59 <an Arguments with map 0x149579e87dc9>#10# #10# 0x56177288e59: 0x56177288e59 <an Arguments with map 0x149579e87dc9> length: 1 #11# 0xb88b059d781: 0xb88b059d781 <JS Function next (SharedFunctionInfo 0x118c560c8c41)> #12# 0xb88b0590b59: 0xb88b0590b59 <JS Function bind (SharedFunctionInfo 0x118c560cbbf9)> #13# 0x56177288eb1: 0x56177288eb1 <an Object with map 0x149579e8c391> toString: 0x56177289391 <JS BoundFunction (BoundTargetFunction 0xb88b059d781)>#16# #14# 0xb88b0583bf9: 0xb88b0583bf9 <FixedArray[242]> 0: 0xb88b0584399 <JS Function (SharedFunctionInfo 0x118c56087f01)>#17# 1: 0 2: 0xb88b05a61c9 <JS Object>#0# 3: 0xb88b0583bf9 <FixedArray[242]>#14# 4: 0x56177283239 <JS Global Object>#1# 5: 0xb88b05987b1 <FixedArray[3]>#18# 6: 0x149579e86da1 <Map(FAST_HOLEY_ELEMENTS)>#19# 7: 0x118c56082311 <undefined> 8: 0xb88b0595431 <JS Function ArrayBuffer (SharedFunctionInfo 0x118c560df461)>#20# 9: 0x149579e86509 <Map(FAST_HOLEY_SMI_ELEMENTS)>#21# ... #15# 0xb88b05aa359: 0xb88b05aa359 <JS Function fn (SharedFunctionInfo 0xb88b05aa019)> #16# 0x56177289391: 0x56177289391 <JS BoundFunction (BoundTargetFunction 0xb88b059d781)> #17# 0xb88b0584399: 0xb88b0584399 <JS Function (SharedFunctionInfo 0x118c56087f01)> #18# 0xb88b05987b1: 0xb88b05987b1 <FixedArray[3]> 0: 0x118c56082311 <undefined> 1: 0 2: 0x118c56082311 <undefined> #19# 0x149579e86da1: 0x149579e86da1 <Map(FAST_HOLEY_ELEMENTS)> #20# 0xb88b0595431: 0xb88b0595431 <JS Function ArrayBuffer (SharedFunctionInfo 0x118c560df461)> #21# 0x149579e86509: 0x149579e86509 <Map(FAST_HOLEY_SMI_ELEMENTS)> ===================== Received signal 4 ILL_ILLOPN 000000f06012 ==== C stack trace =============================== [0x000000f01ebe] [0x000000f01e33] [0x7fc55e0483e0] [0x000000f06012] [0x0000014ce4df] [0x000001508a98] [0x000000f76bd6] [0x000000f7c20e] [0x000000f7c19b] [0x00000147f3c6] [0x00000148707b] [0x000001490076] [0x00000148fd34] [0x2b61cf5843a7] [end of stack trace] Illegal instruction (core dumped)
,
Nov 29 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5145630944264192
,
Nov 29 2016
This doesn't seem to repro on Chrome yet (please correct me if I'm wrong). Jochen, would you mind helping with triaging this one? Assuming a high severity (not sure how to interpret the crash output).
,
Nov 29 2016
,
Nov 30 2016
I'm looking at this now.
,
Nov 30 2016
,
Nov 30 2016
Leszek, this looks like a bug in your CL
"[interpreter] Add a fast path for dynamic local load".
Simpler repro:
function f({[(() => print(eval("p")))()]: p}) {}
f({});
This prints "hole". Forcing the slow path results in the correct behavior (ReferenceError due to failing hole check).
,
Nov 30 2016
I'll take a look, thanks.
,
Nov 30 2016
Is this hole crash caused by the same bug, or is it a different issue?
---
function* g(v) { yield* v; }
var r;
for (let [a = (r = () => g(eval("a")).next()), b = r()] of [[]]);
---
Adapted from:
---
var r;
for (let [a = (r = () => a), b = r()] of [[]]);
---
Expected: No error.
Actual: Throws ReferenceError "a is not defined".
,
Nov 30 2016
I'd think this is the same.
,
Dec 13 2016
,
Dec 14 2016
,
Mar 22 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 12
,
Nov 28
We're catching up on older bugs with Security_Impact-None in our reward panel. Would people from the V8 team here be able to comment on the exploitability of this issue? Thanks! |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Nov 29 2016