size <= kMaxRegularHeapObjectSize in runtime-internal.cc |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5346313224060928 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: size <= kMaxRegularHeapObjectSize in runtime-internal.cc Regressed: V8: r41337:41338 Minimized Testcase (0.94 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94RDOamdqw-653tvXG6yzS5L44LTr7_STKCcbZQj0cfYpgVuMRYJZuI1uFbHrc8aAIdcIj2ep3J4YVwvGGCZgkq6QynrxNt1Xdwy4FqLFXSoQE70pFnoMLvk2WFYRbroiQwC-zAy8Bnor4nE2x24qxKWl1Z1Q?testcase_id=5346313224060928 Additional requirements: Requires Gestures Issue manually filed by: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 2 2016
Looks like this is caused by missing size checks when allocating the result array for @@match.
,
Dec 5 2016
Working on it. Smaller repro:
var re = /foo.bar/;
re.__defineGetter__("global", () => () => undefined);
assertThrows(() => "foo*bar".match(re), RangeError);
As suspected, we trigger an endless loop within @@match and overrun first the large object space size limit and then the maximal array size.
,
Dec 6 2016
,
Dec 6 2016
,
Dec 6 2016
,
Dec 6 2016
,
Dec 6 2016
Users experienced this crash on the following builds: Win Canary 57.0.2939.0 - 0.32 CPM, 35 reports, 18 clients (signature v8::internal::Runtime_AllocateInNewSpace) Mac Canary 57.0.2939.0 - 60.82 CPM, 1396 reports, 681 clients (signature v8::internal::Runtime_AllocateInNewSpace) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Dec 6 2016
Users experienced this crash on the following builds: Win Canary 57.0.2942.0 - 217.86 CPM, 1460 reports, 1069 clients (signature v8::internal::Runtime_AllocateInNewSpace) Mac Canary 57.0.2939.0 - 59.46 CPM, 1435 reports, 701 clients (signature v8::internal::Runtime_AllocateInNewSpace) Linux Beta 55.0.2883.75 - 0.52 CPM, 3 reports, 3 clients (signature v8::internal::Runtime_AllocateInNewSpace) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Dec 6 2016
,
Dec 7 2016
ClusterFuzz has detected this issue as fixed in range 41525:41526. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5346313224060928 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: size <= kMaxRegularHeapObjectSize in runtime-internal.cc Regressed: V8: r41337:41338 Fixed: V8: r41525:41526 Minimized Testcase (0.94 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94RDOamdqw-653tvXG6yzS5L44LTr7_STKCcbZQj0cfYpgVuMRYJZuI1uFbHrc8aAIdcIj2ep3J4YVwvGGCZgkq6QynrxNt1Xdwy4FqLFXSoQE70pFnoMLvk2WFYRbroiQwC-zAy8Bnor4nE2x24qxKWl1Z1Q?testcase_id=5346313224060928 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 7 2016
Windows and Mac canary(57.0.2944.0) has been live for 6 & 8 hours respectively without any crash instances as per the Issue 670575 duped in C#6. Adding the verified label therefore. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by mstarzinger@chromium.org
, Dec 2 2016Owner: jgruber@chromium.org
Status: Assigned (was: Untriaged)