New issue
Advanced search Search tips

Issue 677168 link

Starred by 1 user

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug-Regression



Sign in to add a comment

AddressSanitizer: stack-overflow AtomicValue v8/src/base/atomic-utils.h:113:19

Reported by r...@revskills.cz, Dec 27 2016

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36

Steps to reproduce the problem:

var once = false;
var a = 0;

function f(){
  if(!once){
    a = new Array(1, 2, 3);
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2147483648] = a;
  }
{
    this[2] = a;
    this[32336] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[0] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
    this[2] = a;
  }
  once = true;
  return {};
}

JSON.parse("[1, 2, [4, 5]]", f);

What is the expected behavior?

What went wrong?

==35638==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe2eab6f98 (pc 0x55883f320bf9 bp 0x7ffe2eab77f0 sp 0x7ffe2eab6fa0 T0)
    #0 0x55883f320bf8 in __asan_memset (/home/fuzzer/logs/samples/asan-linux-debug-440749/d8+0xc5bf8)
    #1 0x7f0e75e8d54c in AtomicValue v8/src/base/atomic-utils.h:113:19
    #2 0x7f0e75e8d54c in RuntimeCallTimer v8/src/counters.h:508
    #3 0x7f0e75e8d54c in RuntimeCallTimerScope v8/src/counters-inl.h:64
    #4 0x7f0e75e8d54c in v8::internal::PropertyCallbackArguments::Call(void (*)
..
Attached full stacktrace


 
asan.log
51.1 KB View Download

Comment 1 by r...@revskills.cz, Dec 27 2016

tested on: V8 version 5.7.352
Components: Blink>JavaScript
Stack overflows generally don't have security implications, but thanks for the report either way. Still seems like a good repro for a crash, so passing it along to the V8 team.
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Components: Infra>Client>V8
Labels: -Type-Bug -Pri-2 M-57 hasbisect OS-Mac OS-Windows Pri-1 Type-Bug-Regression
Owner: yukishiino@chromium.org
Status: Assigned (was: Unconfirmed)

Able to reproduce this issue on Windows 10, Ubuntu 14.04  with chrome version 55.0.2883.87 and Mac 10.12.2 on chrome stable version 55.0.2883.95 and also in current canary version #57.0.2964.0.
Observed that when code is pasted it on the chrome console, the browser got crashed, considering this has  bad behavior, performed the bisect
Issue is broken in 53.

Bisect Info:
===========
Good build : 53.0.2753.0,  Revision Range -396745
Bad build  : 53.0.2754.0,  Revision Range -397000

After executing the bisect(old) script , i got the following CL's between good and bad build versions
===========================================
https://chromium.googlesource.com/chromium/src/+log/8c687a70b52123f35c0504a5b3c5c84a639cebaf..29d1fbe672ebcb1f6332f4109240e200e095b386

The suspecting Change Log is :
-----------
https://chromium.googlesource.com/chromium/src/+/29d1fbe672ebcb1f6332f4109240e200e095b386

From the above CL suspecting the below change
---------------------------
Review-Url: https://codereview.chromium.org/2022013002

yukishiino@- Could you please look into this issue, if it's related to your change?  if not could you please help us to reassign this issue to the right owner.



Cc: yukishiino@chromium.org
Owner: jochen@chromium.org
This seems a V8 issue.  jochen@, could you triage this issue?

Cc: jochen@chromium.org fmea...@chromium.org
Owner: cbruni@chromium.org

Comment 7 by cbruni@chromium.org, Jan 10 2017

Cc: -fmea...@chromium.org cbruni@chromium.org
Owner: yangguo@chromium.org
Stackoverflow, minimal repro in standard optdebug build:

var a = [1, 2, 3];

function f(){
  this[2] = a;
  this[0] = a;
  return {};
}

JSON.parse("[1, 2, 5]", f);

Probably fine, unless we add another StackGuard in v8::internal::JsonParseInternalizer::RecurseAndApply I don't see much else.

yangguo@ WDYT?

Sign in to add a comment