New issue
Advanced search Search tips

Issue 676964 link

Starred by 1 user
Status: Duplicate
Merged: issue 670981
Owner: ----
Closed: Dec 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: UNKOWN in v8::internal::JSObject::AddDataElement

Reported by chromium...@gmail.com, Dec 25 2016 
Chrome Version: 57.0.2963.0
Operating System: Windows 7 

        v8::internal::JSObject::AddDataElement [0x10F5105C+1148]
        v8::internal::Object::AddDataProperty [0x10F4B358+4632] (C:\b\c\b\win_asan_release\src\v8\src\objects.cc:5093)
        v8::internal::Object::SetProperty [0x10F45456+838] (C:\b\c\b\win_asan_release\src\v8\src\objects.cc:4871)
        v8::internal::Runtime::SetObjectProperty [0x1156D2F6+614] (C:\b\c\b\win_asan_release\src\v8\src\runtime\runtime-object.cc:292)
        v8::internal::Runtime_SetProperty [0x1157A862+626] (C:\b\c\b\win_asan_release\src\v8\src\runtime\runtime-object.cc:427)
        v8::internal::`anonymous namespace'::Invoke [0x1095CA1E+2078] (C:\b\c\b\win_asan_release\src\v8\src\execution.cc:139)
        base::HistogramBase::FindAndRunCallback [0x1278B8D0+352] (C:\b\c\b\win_asan_release\src\base\metrics\histogram_base.cc:157)
        v8::GlobalValueMap<WTF::StringImpl *,v8::String,blink::StringCacheMapTraits>::Set [0x1532320C+150] (C:\b\c\b\win_asan_release\src\v8\include\v8-util.h:483)
        v8::internal::Execution::Call [0x1095BFA5+693] (C:\b\c\b\win_asan_release\src\v8\src\execution.cc:176)
        v8::Script::Run [0x0F9AD287+1895]
        blink::V8ScriptRunner::runCompiledScript [0x152C7121+1413]
        blink::ScriptController::executeScriptAndReturnValue [0x152A8348+1132]
        blink::ScriptController::evaluateScriptInMainWorld [0x152ABAE8+416]
        blink::ScriptController::executeScriptInMainWorld [0x152AC032+198]
        blink::ScriptLoader::doExecuteScript [0x1B489179+4717] (C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\dom\ScriptLoader.cpp:548)
        blink::ScriptLoader::executeScript [0x1B4873A6+48] (C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\dom\ScriptLoader.cpp:433)
        blink::ScriptLoader::prepareScript [0x1B481BA4+3582] (C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\dom\ScriptLoader.cpp:319)
        blink::HTMLParserScriptRunner::processScriptElementInternal [0x16A52912+426] (C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\html\parser\HTMLParse
rScriptRunner.cpp:491)
        blink::HTMLParserScriptRunner::processScriptElement [0x16A522EE+620] (C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\html\parser\HTMLParserScriptR
unner.cpp:327)
        blink::HTMLDocumentParser::runScriptsForPausedTreeBuilder [0x169F46CA+256]
        blink::HTMLDocumentParser::processTokenizedChunkFromBackgroundParser [0x169F9525+2377]
        blink::HTMLDocumentParser::pumpPendingSpeculations [0x169F3D0F+1101]
        blink::TaskHandle::Runner::run [0x14E6D9B6+80]
        base::internal::Invoker<base::internal::BindState<void (blink::TaskHandle::Runner::*)(const blink::TaskHandle &) __attribute__((thiscall)),base::WeakPtr<blink::
TaskHandle::Runner>,blink::TaskHandle>,void ()>::Run [0x14E6E725+269]
        base::debug::TaskAnnotator::RunTask [0x128F5586+1046] (C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50)
        blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue [0x1501E422+3102]
        blink::scheduler::TaskQueueManager::DoWork [0x1501A1DA+1472] (C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager
.cc:242)
        base::internal::Invoker<base::internal::BindState<void (blink::scheduler::TaskQueueManager::*)(base::TimeTicks, bool) __attribute__((thiscall)),base::WeakPtr<bl
ink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void ()>::Run [0x150226E5+379]
        base::debug::TaskAnnotator::RunTask [0x128F5586+1046] (C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50)
        base::MessageLoop::RunTask [0x127A0F90+2528]
        base::MessageLoop::DeferOrRunPendingTask [0x127A1DD7+103]
        base::MessageLoop::DoWork [0x127A30E7+1239]
        base::MessagePumpDefault::Run [0x128FBB6B+395] (C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:33)
        base::MessageLoop::RunHandler [0x1279FFFA+330]
        base::RunLoop::Run [0x1281FD1E+462]
        content::RendererMain [0x18A15125+1181] (C:\b\c\b\win_asan_release\src\content\renderer\renderer_main.cc:200)
        content::RunNamedProcessTypeMain [0x12630FA4+486] (C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:416)
        content::ContentMainRunnerImpl::Run [0x12632641+587] (C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:793)
        content::ContentMain [0x12630B7D+117] (C:\b\c\b\win_asan_release\src\content\app\content_main.cc:20)
        ChromeMain [0x0F2411FF+511] (C:\b\c\b\win_asan_release\src\chrome\app\chrome_main.cc:112)
        MainDllLoader::Launch [0x002E7B78+702] (C:\b\c\b\win_asan_release\src\chrome\app\main_dll_loader_win.cc:173)
        main [0x002E1944+2372] (C:\b\c\b\win_asan_release\src\chrome\app\chrome_exe_main_win.cc:262)
        __scrt_common_main_seh [0x004F60DE+249] (f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253)
        BaseThreadInitThunk [0x76553677+18]
        RtlInitializeExceptionChain [0x771E9D72+99]
        RtlInitializeExceptionChain [0x771E9D45+54]
=================================================================
==4204==ERROR: AddressSanitizer: access-violation on unknown address 0x045d5b2c (pc 0x10f5105c bp 0x00c7b860 sp 0x00c7b780 T0)
==4204==The signal is caused by a READ memory access.
==4204==*** WARNING: Failed to initialize DbgHelp!              ***
==4204==*** Most likely this means that the app is already      ***
==4204==*** using DbgHelp, possibly with incompatible flags.    ***
==4204==*** Due to technical reasons, symbolization might crash ***
==4204==*** or produce wrong results.                           ***
    #0 0x10f5105b  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x11d1105b)
    #1 0x10f4b357  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x11d0b357)
    #2 0x10f45455  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x11d05455)
    #3 0x1156d2f5  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x1232d2f5)
    #4 0x1157a861  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x1233a861)
    #5 0x1095ca1d  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x1171ca1d)
    #6 0x1278b8cf  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x1354b8cf)
    #7 0x1532320b  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x160e320b)
    #8 0x1095bfa4  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x1171bfa4)
    #9 0xf9ad286  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x1076d286)
    #10 0x152c7120  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x16087120)
    #11 0x152a8347  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x16068347)
    #12 0x152abae7  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x1606bae7)
    #13 0x152ac031  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x1606c031)
    #14 0x1b489178  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x1c249178)
    #15 0x1b4873a5  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x1c2473a5)
    #16 0x1b481ba3  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x1c241ba3)
    #17 0x16a52911  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x17812911)
    #18 0x16a522ed  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x178122ed)
    #19 0x169f46c9  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x177b46c9)
    #20 0x169f9524  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x177b9524)
    #21 0x169f3d0e  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x177b3d0e)
    #22 0x14e6d9b5  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x15c2d9b5)
    #23 0x14e6e724  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x15c2e724)
    #24 0x128f5585  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x136b5585)
    #25 0x1501e421  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x15dde421)
    #26 0x1501a1d9  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x15dda1d9)
    #27 0x150226e4  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x15de26e4)
    #28 0x128f5585  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x136b5585)
    #29 0x127a0f8f  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x13560f8f)
    #30 0x127a1dd6  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x13561dd6)
    #31 0x127a30e6  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x135630e6)
    #32 0x128fbb6a  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x136bbb6a)
    #33 0x1279fff9  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x1355fff9)
    #34 0x1281fd1d  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x135dfd1d)
    #35 0x18a15124  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x197d5124)
    #36 0x12630fa3  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x133f0fa3)
    #37 0x12632640  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x133f2640)
    #38 0x12630b7c  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x133f0b7c)
    #39 0xf2411fe  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome_child.dll+0x100011fe)
    #40 0x2e7b77  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome.exe+0x407b77)
    #41 0x2e1943  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome.exe+0x401943)
    #42 0x4f60dd  (C:\Users\admin\Desktop\asan-win32-release-440681\chrome.exe+0x6160dd)
    #43 0x76553676  (C:\Windows\syswow64\kernel32.dll+0x7dd73676)
    #44 0x771e9d71  (C:\Windows\SysWOW64\ntdll.dll+0x7dea9d71)
poc.html
52 bytes View Download

Comment 1 by chromium...@gmail.com, Dec 25 2016 

Crash ID b0e8f31e-3081-4868-a01a-192c033a33ab (Server ID: 2e26d52080000000).

Comment 2 by penny...@chromium.org, Dec 27 2016

Components: Blink>JavaScript
Labels: Security_Severity-Medium Security_Impact-Head OS-Windows Pri-1
Mergedinto: 670981
Status: Duplicate (was: Unconfirmed)
Project Member

Comment 3 by sheriffbot@chromium.org, Apr 4 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment