AddressSanitizer: stack-overflow AtomicValue v8/src/base/atomic-utils.h:113:19
Reported by
r...@revskills.cz,
Dec 27 2016
|
|||||||
Issue description
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36
Steps to reproduce the problem:
var once = false;
var a = 0;
function f(){
if(!once){
a = new Array(1, 2, 3);
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2147483648] = a;
}
{
this[2] = a;
this[32336] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[0] = a;
this[2] = a;
this[2] = a;
this[2] = a;
this[2] = a;
}
once = true;
return {};
}
JSON.parse("[1, 2, [4, 5]]", f);
What is the expected behavior?
What went wrong?
==35638==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe2eab6f98 (pc 0x55883f320bf9 bp 0x7ffe2eab77f0 sp 0x7ffe2eab6fa0 T0)
#0 0x55883f320bf8 in __asan_memset (/home/fuzzer/logs/samples/asan-linux-debug-440749/d8+0xc5bf8)
#1 0x7f0e75e8d54c in AtomicValue v8/src/base/atomic-utils.h:113:19
#2 0x7f0e75e8d54c in RuntimeCallTimer v8/src/counters.h:508
#3 0x7f0e75e8d54c in RuntimeCallTimerScope v8/src/counters-inl.h:64
#4 0x7f0e75e8d54c in v8::internal::PropertyCallbackArguments::Call(void (*)
..
Attached full stacktrace
,
Dec 27 2016
Stack overflows generally don't have security implications, but thanks for the report either way. Still seems like a good repro for a crash, so passing it along to the V8 team.
,
Dec 27 2016
,
Jan 2 2017
Able to reproduce this issue on Windows 10, Ubuntu 14.04 with chrome version 55.0.2883.87 and Mac 10.12.2 on chrome stable version 55.0.2883.95 and also in current canary version #57.0.2964.0. Observed that when code is pasted it on the chrome console, the browser got crashed, considering this has bad behavior, performed the bisect Issue is broken in 53. Bisect Info: =========== Good build : 53.0.2753.0, Revision Range -396745 Bad build : 53.0.2754.0, Revision Range -397000 After executing the bisect(old) script , i got the following CL's between good and bad build versions =========================================== https://chromium.googlesource.com/chromium/src/+log/8c687a70b52123f35c0504a5b3c5c84a639cebaf..29d1fbe672ebcb1f6332f4109240e200e095b386 The suspecting Change Log is : ----------- https://chromium.googlesource.com/chromium/src/+/29d1fbe672ebcb1f6332f4109240e200e095b386 From the above CL suspecting the below change --------------------------- Review-Url: https://codereview.chromium.org/2022013002 yukishiino@- Could you please look into this issue, if it's related to your change? if not could you please help us to reassign this issue to the right owner.
,
Jan 5 2017
This seems a V8 issue. jochen@, could you triage this issue?
,
Jan 5 2017
,
Jan 10 2017
Stackoverflow, minimal repro in standard optdebug build:
var a = [1, 2, 3];
function f(){
this[2] = a;
this[0] = a;
return {};
}
JSON.parse("[1, 2, 5]", f);
Probably fine, unless we add another StackGuard in v8::internal::JsonParseInternalizer::RecurseAndApply I don't see much else.
yangguo@ WDYT?
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by r...@revskills.cz
, Dec 27 2016