Issue metadata
Sign in to add a comment
|
Security: Crash in v8::internal::WasmInstanceWrapper::instance_object
Reported by
chromium...@gmail.com,
Dec 6 2016
|
||||||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 57.0.2943.0 canary Operating System: Windows 7 REPRODUCTION CASE 1. Enable Experimental WebAssembly at chrome://flags/#enable-webassembly 2. Lunch the testcase. rax=000000000b400000 rbx=0000000002f68880 rcx=000002a308102311 rdx=000000000014ccb0 rsi=000000000b41f286 rdi=000000000014ccb0 rip=000007fee0dcc2af rsp=000000000014cc50 rbp=000002a308102311 r8=0000000000000001 r9=000001e472980001 r10=0000000000000003 r11=00000000000000ac r12=0000000000000001 r13=0000000000343f78 r14=fffffffffff80000 r15=0000000000343eb0 iopl=0 nv up ei pl nz na po nc cs=0033 ss=0000 ds=0000 es=0000 fs=0053 gs=002b efl=00010206 *** WARNING: Unable to verify checksum for chrome_child.dll chrome_child!v8::internal::WasmInstanceWrapper::instance_object+0x23: 000007fe`e0dcc2af 488b5838 mov rbx,qword ptr [rax+38h] ds:00000000`0b400038=???????????????? 0:000> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site 00000000`0014cc50 000007fe`e0dc89d6 chrome_child!v8::internal::WasmInstanceWrapper::instance_object+0x23 [c:\b\build\slave\win64-pgo\build\src\v8\src\wasm\wasm-objects.h @ 342] 00000000`0014cc80 000007fe`e06c4771 chrome_child!v8::internal::wasm::GrowWebAssemblyMemory+0xde [c:\b\build\slave\win64-pgo\build\src\v8\src\wasm\wasm-module.cc @ 2218] 00000000`0014cd00 000007fe`e0dad788 chrome_child!v8::internal::wasm::GrowMemory+0x1a5 [c:\b\build\slave\win64-pgo\build\src\v8\src\wasm\wasm-module.cc @ 2280] 00000000`0014cd60 000001e4`7288442b chrome_child!v8::internal::Runtime_WasmGrowMemory+0x144 [c:\b\build\slave\win64-pgo\build\src\v8\src\runtime\runtime-wasm.cc @ 43] 00000000`0014cda0 000007fe`e0dad643 0x1e4`7288442b 00000000`0014cda8 00000000`0014cde8 chrome_child!v8::internal::Runtime_WasmGetCaughtExceptionValue+0x7f 00000000`0014cdb0 00000382`317201b9 0x14cde8 00000000`0014cdb8 00000000`00000001 0x382`317201b9 00000000`0014cdc0 00000000`0014ce90 0x1 00000000`0014cdc8 00000001`00000000 0x14ce90 00000000`0014cdd0 000001e4`72884341 0x1`00000000 00000000`0014cdd8 00000000`0014cda0 0x1e4`72884341 00000000`0014cde0 00000003`00000000 0x14cda0 00000000`0014cde8 00000000`0014ce08 0x3`00000000 00000000`0014cdf0 000001e4`72987b26 0x14ce08 00000000`0014cdf8 00000001`00000000 0x1e4`72987b26 00000000`0014ce00 00000006`00000000 0x1`00000000 00000000`0014ce08 00000000`0014ce28 0x6`00000000 00000000`0014ce10 000001e4`72987d19 0x14ce28 00000000`0014ce18 00000212`43bb34e1 0x1e4`72987d19
,
Dec 6 2016
ASan output:
v8::internal::wasm::GrowWebAssemblyMemory [0x1232ABBB+667]
v8::internal::wasm::GrowMemory [0x1232C0DC+1020] (C:\b\c\b\Win_ASan_Release\src\v8\src\wasm\wasm-module.cc:2277)
v8::internal::Runtime_WasmGrowMemory [0x121ECC4A+906] (C:\b\c\b\win_asan_release\src\v8\src\runtime\runtime-wasm.cc:43)
(No symbol) [0x2638623E]
(No symbol) [0x2FC08A47]
(No symbol) [0x2FC08C30]
(No symbol) [0x26387596]
(No symbol) [0x263FAC34]
(No symbol) [0x263EDF7F]
v8::internal::`anonymous namespace'::Invoke [0x11259ECE+2078] (C:\b\c\b\win_asan_release\src\v8\src\execution.cc:139)
blink::HTMLDocumentParser::pumpPendingSpeculations [0x1778DACD+1101]
blink::TaskHandle::Runner::run [0x15B8125A+80]
base::internal::Invoker<base::internal::BindState<void (blink::TaskHandle::Runner::*)(const blink::TaskHandle &) __attribute__((thiscall)),base::WeakPt
r<blink::TaskHandle::Runner>,blink::TaskHandle>,void ()>::Run [0x15B81FC9+269]
base::debug::TaskAnnotator::RunTask [0x13147496+1046] (C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50)
blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue [0x15D31382+3102]
blink::scheduler::TaskQueueManager::DoWork [0x15D2D13A+1472] (C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queu
e_manager.cc:242)
base::internal::Invoker<base::internal::BindState<void (blink::scheduler::TaskQueueManager::*)(base::TimeTicks, bool) __attribute__((thiscall)),base::W
eakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void ()>::Run [0x15D36C8D+379]
base::debug::TaskAnnotator::RunTask [0x13147496+1046] (C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50)
base::MessageLoop::RunTask [0x12FFFE10+2528]
base::MessageLoop::DeferOrRunPendingTask [0x13000C57+103]
base::MessageLoop::DoWork [0x13001F67+1239]
base::MessagePumpDefault::Run [0x1314DA7B+395] (C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:33)
base::MessagePumpDefault::Run [0x1314DA7B+395] (C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:33)
__sanitizer::StackDepotPut [0x00D844E8+40] (e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sani
tizer_stackdepot.cc:113)
__asan::Allocator::QuarantineChunk [0x00D7EADB+219] (e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_al
locator.cc:538)
__asan::Allocator::Deallocate [0x00D7D7AD+221] (e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_allocat
or.cc:573)
__asan::asan_free [0x00D7F578+24] (e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_allocator.cc:769)
=================================================================
==636==ERROR: AddressSanitizer: access-violation on unknown address 0x7ff80003 (pc 0x1232abbb bp 0x0044b4ec sp 0x0044b420 T0)
==636==The signal is caused by a READ memory access.
==636==*** WARNING: Failed to initialize DbgHelp! ***
==636==*** Most likely this means that the app is already ***
==636==*** using DbgHelp, possibly with incompatible flags. ***
==636==*** Due to technical reasons, symbolization might crash ***
==636==*** or produce wrong results. ***
#0 0x1232abba (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x1274abba)
#1 0x1232c0db (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x1274c0db)
#2 0x121ecc49 (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x1260cc49)
#3 0x2638623d (<unknown module>)
#4 0x2fc08a46 (<unknown module>)
#5 0x2fc08c2f (<unknown module>)
#6 0x26387595 (<unknown module>)
#7 0x263fac33 (<unknown module>)
#8 0x263edf7e (<unknown module>)
#9 0x11259ecd (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x11679ecd)
#10 0x1778dacc (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x17badacc)
#11 0x15b81259 (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x15fa1259)
#12 0x15b81fc8 (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x15fa1fc8)
#13 0x13147495 (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x13567495)
#14 0x15d31381 (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x16151381)
#15 0x15d2d139 (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x1614d139)
#16 0x15d36c8c (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x16156c8c)
#17 0x13147495 (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x13567495)
#18 0x12fffe0f (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x1341fe0f)
#19 0x13000c56 (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x13420c56)
#20 0x13001f66 (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x13421f66)
#21 0x1314da7a (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x1356da7a)
#22 0x1314da7a (C:\Users\admin\Desktop\asan-win32-release-436612\chrome_child.dll+0x1356da7a)
#23 0xd844e7 (C:\Users\admin\Desktop\asan-win32-release-436612\chrome.exe+0x6144e7)
#24 0xd7eada (C:\Users\admin\Desktop\asan-win32-release-436612\chrome.exe+0x60eada)
#25 0xd7d7ac (C:\Users\admin\Desktop\asan-win32-release-436612\chrome.exe+0x60d7ac)
,
Dec 7 2016
,
Dec 8 2016
Assigning to gdeepti@ since it involves grow_memory.
,
Dec 8 2016
Note: This is a regression issue it's not seen on stable.
,
Dec 12 2016
I think this is probably a dup of https://bugs.chromium.org/p/chromium/issues/detail?id=671761
,
Dec 12 2016
This is a duplicate of issue https://bugs.chromium.org/p/chromium/issues/detail?id=671761 as titzer@ mentioned in the last comment and has been fixed. Verified to be fixed on Windows.
,
Dec 12 2016
,
Dec 13 2016
,
Mar 21 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by chromium...@gmail.com
, Dec 6 2016