New issue
Advanced search Search tips

Issue 669850 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

size <= kMaxRegularHeapObjectSize in runtime-internal.cc

Project Member Reported by ClusterFuzz, Nov 30 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6729153148878848

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_be
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= kMaxRegularHeapObjectSize in runtime-internal.cc
  
Regressed: V8: r40662:40668

Minimized Testcase (0.30 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv946fX4UdGtd0u1xZ-cIjQlX3d0SF-pLwxhJKT3z9Ba42EmSzZXKh1k7BoYB7iUBoNC8zN-TEl3vY_V0RYayvnDQkyLpVWm9bXosIEZl9bCZu0hFMCsOe5Y7IG0i0Jgl1-lHXzZm_8KUlP-wAGexKYK-QStE5Q?testcase_id=6729153148878848
try {
__v_2 = [];
__v_2[1<<17] = function() { return 1; };
__v_16 = {                           get b() {
    },
    d: 4 };
} catch(e) {; }
function __f_1() {
  var __v_4 = eval(__v_5);
}
function __f_2() {
  return __v_2;
}
__v_5 = '([' + __f_2() + '])'
for (var __v_3 = 0; __v_3 < 5; __v_3++) {
  __f_1();
}


Issue manually filed by: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Components: Blink>JavaScript
Cc: bmeu...@chromium.org rmcilroy@chromium.org
Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)
Regression range points to shipping Ignition at b4b436de6ad42e83d259418965a1a62c540a9fc7. I will investigate.
Simplified repro ...

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --turbo

eval('function f(a) { return [' + new Array(1 << 17) + ',a] }');
assertEquals(23, f(23)[1 << 17]);
assertEquals(42, f(42)[1 << 17]);
%OptimizeFunctionOnNextCall(f);
assertEquals(65, f(65)[1 << 17]);
Project Member

Comment 4 by bugdroid1@chromium.org, Dec 1 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/8242966399837081e6e77456dc47ff3b1bef55a1

commit 8242966399837081e6e77456dc47ff3b1bef55a1
Author: mstarzinger <mstarzinger@chromium.org>
Date: Thu Dec 01 09:21:58 2016

[turbofan] Add size DCHECK for inline allocations.

This ensure that all inline allocations generated by {JSCreateLowering}
will fit into a regular heap page. Allocations targeting LO-space must
be done via a slower runtime call.

R=bmeurer@chromium.org
BUG= chromium:669850 

Review-Url: https://codereview.chromium.org/2533353003
Cr-Commit-Position: refs/heads/master@{#41412}

[modify] https://crrev.com/8242966399837081e6e77456dc47ff3b1bef55a1/src/compiler/js-create-lowering.cc

Project Member

Comment 5 by bugdroid1@chromium.org, Dec 1 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f8fec66f0be7489de4673a6271f893b05d11b49c

commit f8fec66f0be7489de4673a6271f893b05d11b49c
Author: mstarzinger <mstarzinger@chromium.org>
Date: Thu Dec 01 12:00:45 2016

[turbofan] Workaround for unknown array literal length.

This fixes the existing workaround in {BytecodeGraphBuilder} where the
number of elements in an array literal is unknown just from the bytecode
alone and needs to be deduced from the constant elements.

Note that this is just a quick fix to prevent calling the fast-clone
stub for boilerplates that are too big to fit on a regular page. In the
long run we need something more solid here.

R=mvstanton@chromium.org
TEST=mjsunit/regress/regress-crbug-669850
BUG= chromium:669850 

Review-Url: https://codereview.chromium.org/2542633002
Cr-Commit-Position: refs/heads/master@{#41420}

[modify] https://crrev.com/f8fec66f0be7489de4673a6271f893b05d11b49c/src/compiler/bytecode-graph-builder.cc
[add] https://crrev.com/f8fec66f0be7489de4673a6271f893b05d11b49c/test/mjsunit/regress/regress-crbug-669850.js

Project Member

Comment 6 by ClusterFuzz, Dec 2 2016

ClusterFuzz has detected this issue as fixed in range 41419:41436.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6729153148878848

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_be
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= kMaxRegularHeapObjectSize in runtime-internal.cc
  
Regressed: V8: r40662:40668
Fixed: V8: r41419:41436

Minimized Testcase (0.30 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv946fX4UdGtd0u1xZ-cIjQlX3d0SF-pLwxhJKT3z9Ba42EmSzZXKh1k7BoYB7iUBoNC8zN-TEl3vY_V0RYayvnDQkyLpVWm9bXosIEZl9bCZu0hFMCsOe5Y7IG0i0Jgl1-lHXzZm_8KUlP-wAGexKYK-QStE5Q?testcase_id=6729153148878848
try {
__v_2 = [];
__v_2[1<<17] = function() { return 1; };
__v_16 = {                           get b() {
    },
    d: 4 };
} catch(e) {; }
function __f_1() {
  var __v_4 = eval(__v_5);
}
function __f_2() {
  return __v_2;
}
__v_5 = '([' + __f_2() + '])'
for (var __v_3 = 0; __v_3 < 5; __v_3++) {
  __f_1();
}


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Status: Fixed (was: Assigned)

Sign in to add a comment