New issue
Advanced search Search tips

Issue 670671 link

Starred by 5 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug-Regression

Blocking:
issue 670575



Sign in to add a comment

size <= kMaxRegularHeapObjectSize in runtime-internal.cc

Project Member Reported by ClusterFuzz, Dec 2 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5346313224060928

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= kMaxRegularHeapObjectSize in runtime-internal.cc
  
Regressed: V8: r41337:41338

Minimized Testcase (0.94 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94RDOamdqw-653tvXG6yzS5L44LTr7_STKCcbZQj0cfYpgVuMRYJZuI1uFbHrc8aAIdcIj2ep3J4YVwvGGCZgkq6QynrxNt1Xdwy4FqLFXSoQE70pFnoMLvk2WFYRbroiQwC-zAy8Bnor4nE2x24qxKWl1Z1Q?testcase_id=5346313224060928

Additional requirements: Requires Gestures

Issue manually filed by: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: ishell@chromium.org
Owner: jgruber@chromium.org
Status: Assigned (was: Untriaged)
Regression range points to 4e7571a5a9bb8563ae93e0aff48c08bead765b14.

Comment 2 by jgruber@google.com, Dec 2 2016

Looks like this is caused by missing size checks when allocating the result array for @@match.

Comment 3 by jgruber@google.com, Dec 5 2016

Working on it. Smaller repro:

var re = /foo.bar/;
re.__defineGetter__("global", () => () => undefined);
assertThrows(() => "foo*bar".match(re), RangeError);

As suspected, we trigger an endless loop within @@match and overrun first the large object space size limit and then the maximal array size.
Blocking: 670575
Blocking: -670575
Blocking: 670575
Issue 670575 has been merged into this issue.

Comment 7 by ajha@chromium.org, Dec 6 2016

Labels: -Type-Bug ReleaseBlock-Dev M-57 OS-Mac OS-Windows Type-Bug-Regression
Project Member

Comment 8 by sheriffbot@chromium.org, Dec 6 2016

Labels: FoundIn-M-57 Fracas
Users experienced this crash on the following builds:

Win Canary 57.0.2939.0 -  0.32 CPM, 35 reports, 18 clients (signature v8::internal::Runtime_AllocateInNewSpace)
Mac Canary 57.0.2939.0 -  60.82 CPM, 1396 reports, 681 clients (signature v8::internal::Runtime_AllocateInNewSpace)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas
Project Member

Comment 9 by sheriffbot@chromium.org, Dec 6 2016

Labels: FoundIn-M-55
Users experienced this crash on the following builds:

Win Canary 57.0.2942.0 -  217.86 CPM, 1460 reports, 1069 clients (signature v8::internal::Runtime_AllocateInNewSpace)
Mac Canary 57.0.2939.0 -  59.46 CPM, 1435 reports, 701 clients (signature v8::internal::Runtime_AllocateInNewSpace)
Linux Beta 55.0.2883.75 -  0.52 CPM, 3 reports, 3 clients (signature v8::internal::Runtime_AllocateInNewSpace)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas
Status: Fixed (was: Assigned)
Should be fixed by

https://codereview.chromium.org/2555703003/
Project Member

Comment 11 by ClusterFuzz, Dec 7 2016

ClusterFuzz has detected this issue as fixed in range 41525:41526.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5346313224060928

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= kMaxRegularHeapObjectSize in runtime-internal.cc
  
Regressed: V8: r41337:41338
Fixed: V8: r41525:41526

Minimized Testcase (0.94 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94RDOamdqw-653tvXG6yzS5L44LTr7_STKCcbZQj0cfYpgVuMRYJZuI1uFbHrc8aAIdcIj2ep3J4YVwvGGCZgkq6QynrxNt1Xdwy4FqLFXSoQE70pFnoMLvk2WFYRbroiQwC-zAy8Bnor4nE2x24qxKWl1Z1Q?testcase_id=5346313224060928

Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 12 by ajha@chromium.org, Dec 7 2016

Labels: TE-Verified-57.0.2944.0 TE-Verified-57
Windows and Mac canary(57.0.2944.0) has been live for 6 & 8 hours respectively without any crash instances as per the Issue 670575 duped in C#6.

Adding the verified label therefore.

Sign in to add a comment