New issue
Advanced search Search tips

Issue 678917 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Making long string occurs crash

Reported by gksgudtj...@gmail.com, Jan 6 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Steps to reproduce the problem:
1. Make a small string
2. Add a small chunk to result of 1. many times
3. It occurs crash

What is the expected behavior?

What went wrong?
It usually occurs crash because of dereference [0x13]
Sometimes it makes eip to zero. I attached dump.

Did this work before? N/A 

Chrome version: 55.0.2883.87  Channel: stable
OS Version: 10.0
Flash Version: Shockwave Flash 24.0 r0
 
test.html
200 bytes View Download
4f15f8e0-32a6-42f0-ba35-9ade4aba04a1.dmp
268 KB Download
Project Member

Comment 1 by ClusterFuzz, Jan 6 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5695316423868416
Project Member

Comment 2 by ClusterFuzz, Jan 6 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4656970901749760
Components: Blink>JavaScript
Decoded minidump from 54.0.2840.99.

Thread 0 ( * CRASHED * EXCEPTION_ACCESS_VIOLATION_EXEC @ 0x0 )
0	 [	 +	 0x0]
1	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\v8\src\frames.cc:1222] v8::internal::OptimizedFrame::Summarize(v8::internal::List<v8::internal::FrameSummary,v8::internal::FreeStoreAllocationPolicy> *,v8::internal::FrameSummary::Mode)
2	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\v8\src\isolate.cc:479] v8::internal::Isolate::CaptureSimpleStackTrace(v8::internal::Handle<v8::internal::JSReceiver>,v8::internal::FrameSkipMode,v8::internal::Handle<v8::internal::Object>)
3	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\v8\src\isolate.cc:585] v8::internal::Isolate::CaptureAndSetSimpleStackTrace(v8::internal::Handle<v8::internal::JSReceiver>,v8::internal::FrameSkipMode,v8::internal::Handle<v8::internal::Object>)
4	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\v8\src\messages.cc:777] v8::internal::ErrorUtils::Construct(v8::internal::Isolate *,v8::internal::Handle<v8::internal::JSFunction>,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,v8::internal::FrameSkipMode,v8::internal::Handle<v8::internal::Object>,bool)
5	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\v8\src\messages.cc:901] v8::internal::ErrorUtils::MakeGenericError(v8::internal::Isolate *,v8::internal::Handle<v8::internal::JSFunction>,int,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,v8::internal::FrameSkipMode)
6	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\v8\src\factory.cc:1167] v8::internal::Factory::NewError(v8::internal::Handle<v8::internal::JSFunction>,v8::internal::MessageTemplate::Template,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>)
7	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\v8\src\factory.cc:1209] v8::internal::Factory::NewRangeError(v8::internal::MessageTemplate::Template,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>)
8	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\v8\src\factory.h:580] v8::internal::Factory::NewInvalidStringLengthError()
9	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\v8\src\factory.cc:413] v8::internal::Factory::NewRawOneByteString(int,v8::internal::PretenureFlag)
10	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\v8\src\objects.cc:2129] v8::internal::String::SlowFlatten(v8::internal::Handle<v8::internal::ConsString>,v8::internal::PretenureFlag)
11	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\v8\src\objects-inl.h:3628] v8::internal::String::Flatten(v8::internal::Handle<v8::internal::String>,v8::internal::PretenureFlag)
12	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\v8\src\runtime\runtime-strings.cc:350] v8::internal::Runtime_StringCharCodeAtRT(int,v8::internal::Object * *,v8::internal::Isolate *)
13	 [	 +	 0xce0bb86]
14	 [	 +	 0xce67266]
15	 [	 +	 0xce64a53]
16	 [	 +	 0xce3e83e]
17	 [	 +	 0xce27878]
18	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\v8\src\execution.cc:143] v8::internal::`anonymous namespace'::Invoke
19	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\v8\src\execution.cc:178] v8::internal::Execution::Call(v8::internal::Isolate *,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,int,v8::internal::Handle<v8::internal::Object> * const)
20	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\v8\src\api.cc:1845] v8::Script::Run(v8::Local<v8::Context>)
21	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\bindings\core\v8\v8scriptrunner.cpp:418] blink::V8ScriptRunner::runCompiledScript(v8::Isolate *,v8::Local<v8::Script>,blink::ExecutionContext *)
22	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\bindings\core\v8\scriptcontroller.cpp:149] blink::ScriptController::executeScriptAndReturnValue(v8::Local<v8::Context>,blink::ScriptSourceCode const &,blink::AccessControlStatus)
23	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\bindings\core\v8\scriptcontroller.cpp:397] blink::ScriptController::evaluateScriptInMainWorld(blink::ScriptSourceCode const &,blink::AccessControlStatus,blink::ScriptController::ExecuteScriptPolicy)
24	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\bindings\core\v8\scriptcontroller.cpp:374] blink::ScriptController::executeScriptInMainWorld(blink::ScriptSourceCode const &,blink::AccessControlStatus)
25	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\core\dom\scriptloader.cpp:431] blink::ScriptLoader::executeScript(blink::ScriptSourceCode const &)
26	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\core\dom\scriptloader.cpp:276] blink::ScriptLoader::prepareScript(WTF::TextPosition const &,blink::ScriptLoader::LegacyTypeSupport)
27	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\core\html\parser\htmlscriptrunner.cpp:429] blink::HTMLScriptRunner::runScript(blink::Element *,WTF::TextPosition const &)
28	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\core\html\parser\htmlscriptrunner.cpp:282] blink::HTMLScriptRunner::execute(blink::Element *,WTF::TextPosition const &)
29	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp:272] blink::HTMLDocumentParser::runScriptsForPausedTreeBuilder()
30	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp:517] blink::HTMLDocumentParser::processTokenizedChunkFromBackgroundParser(std::unique_ptr<blink::HTMLDocumentParser::TokenizedChunk,std::default_delete<blink::HTMLDocumentParser::TokenizedChunk> >)
31	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp:574] blink::HTMLDocumentParser::pumpPendingSpeculations()
32	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\base\callback.h:388] base::Callback<void ,1>::Run()
33	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\platform\scheduler\cancellabletaskfactory.cpp:27] blink::CancellableTaskFactory::CancellableTask::run()
34	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\platform\scheduler\child\web_task_runner_impl.cc:72] blink::scheduler::WebTaskRunnerImpl::runTask(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)
35	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\base\bind_internal.h:324] base::internal::Invoker<base::internal::BindState<void (*)(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >),base::internal::PassedWrapper<std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > >,void >::Run(base::internal::BindStateBase *)
36	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\base\callback.h:388] base::Callback<void ,1>::Run()
37	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\platform\scheduler\base\task_queue_manager.cc:319] blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue *,blink::scheduler::internal::TaskQueueImpl::Task *)
38	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\platform\scheduler\base\task_queue_manager.cc:218] blink::scheduler::TaskQueueManager::DoWork(base::TimeTicks,bool)
39	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\base\bind_internal.h:324] base::internal::Invoker<base::internal::BindState<void ( blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void >::Run(base::internal::BindStateBase *)
40	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\base\callback.h:388] base::Callback<void ,1>::Run()
41	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\base\message_loop\message_loop.cc:489] base::MessageLoop::RunTask(base::PendingTask const &)
42	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\base\message_loop\message_loop.cc:621] base::MessageLoop::DoWork()
43	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\base\message_loop\message_pump_default.cc:36] base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
44	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\base\message_loop\message_loop.cc:452] base::MessageLoop::RunHandler()
45	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\base\run_loop.cc:36] base::RunLoop::Run()
46	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\content\renderer\renderer_main.cc:198] content::RendererMain(content::MainFunctionParams const &)
47	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\content\app\content_main_runner.cc:418] content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
48	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\content\app\content_main_runner.cc:786] content::ContentMainRunnerImpl::Run()
49	 [chrome_child.dll	 -	 c:\b\build\slave\win-pgo\build\src\content\app\content_main.cc:20] content::ContentMain(content::ContentMainParams const &)
50	 [chrome.exe	 -	 c:\b\build\slave\win-pgo\build\src\chrome\app\main_dll_loader_win.cc:182] MainDllLoader::Launch(HINSTANCE__ *)
51	 [chrome.exe	 -	 c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_exe_main_win.cc:253] wWinMain
52	 [chrome.exe	 -	 f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:255] __scrt_common_main_seh
53	 [KERNEL32.DLL	 -	 0x162c4] BaseThreadInitThunk
54	 [ntdll.dll	 -	 0x60609] __RtlUserThreadStart
55	 [ntdll.dll	 -	 0x605d4] _RtlUserThreadStart


Cc: u...@chromium.org jochen@chromium.org jgruber@chromium.org
I suppose this is expected because it simply goes OOM.
Owner: jarin@chromium.org
Status: Assigned (was: Unconfirmed)
looks like we hit this CHECK:  CHECK_EQ(opcode, Translation::STACK_SLOT); which implies a bug in deopt
Labels: Security_Severity-Medium Security_Impact-Stable
Project Member

Comment 7 by sheriffbot@chromium.org, Jan 12 2017

Labels: M-56
Project Member

Comment 8 by sheriffbot@chromium.org, Jan 12 2017

Labels: -Pri-2 Pri-1
Project Member

Comment 9 by sheriffbot@chromium.org, Jan 20 2017

jarin: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 10 by jarin@chromium.org, Jan 21 2017

Status: Started (was: Assigned)
This is not a deoptimizer bug, it is a bug in the StringAdd hydrogen stub - it does not seem to check for reaching maximum length when constructing a cons-string, and thus constructs an invalid string. The bug only triggers with full-code (which uses the traditional binary op IC). 

In ignition, we use a TF stub for string addition, and that one does the appropriate checks.
Project Member

Comment 11 by bugdroid1@chromium.org, Jan 24 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/dd310b434181902a8e8a93890dd634a2e8cfc825

commit dd310b434181902a8e8a93890dd634a2e8cfc825
Author: jarin <jarin@chromium.org>
Date: Tue Jan 24 09:35:56 2017

[crankshaft] Fix string addition to check for max length of cons string.

BUG= chromium:678917 

Review-Url: https://codereview.chromium.org/2653623002
Cr-Commit-Position: refs/heads/master@{#42621}

[modify] https://crrev.com/dd310b434181902a8e8a93890dd634a2e8cfc825/src/crankshaft/hydrogen.cc
[add] https://crrev.com/dd310b434181902a8e8a93890dd634a2e8cfc825/test/mjsunit/regress/regress-678917.js

Comment 12 by jarin@chromium.org, Jan 25 2017

Status: Fixed (was: Started)
Project Member

Comment 13 by sheriffbot@chromium.org, Jan 25 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -M-56 reward-topanel M-57
Project Member

Comment 15 by sheriffbot@chromium.org, Feb 3 2017

Labels: Merge-Request-57
Project Member

Comment 16 by sheriffbot@chromium.org, Feb 3 2017

Labels: -Merge-Request-57 Hotlist-Merge-Approved Merge-Approved-57
Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Please merge your change to M57 branch 2987 before 5:00 PM Pt, Monday (02/06/) so we can pick it up for next week Beta release. Thank you.
Project Member

Comment 18 by bugdroid1@chromium.org, Feb 4 2017

Labels: merge-merged-5.7
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/01199dc9213435603a051051d881701f841b79a8

commit 01199dc9213435603a051051d881701f841b79a8
Author: Jaroslav Sevcik <jarin@chromium.org>
Date: Sat Feb 04 21:53:46 2017

Merged: [crankshaft] Fix string addition to check for max length of cons string.

Revision: dd310b434181902a8e8a93890dd634a2e8cfc825

BUG= chromium:678917 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2670383004 .
Cr-Commit-Position: refs/branch-heads/5.7@{#88}
Cr-Branched-From: 975e9a320b6eaf9f12280c35df98e013beb8f041-refs/heads/5.7.492@{#1}
Cr-Branched-From: 8d76f0e3465a84bbf0bceab114900fbe75844e1f-refs/heads/master@{#42426}

[modify] https://crrev.com/01199dc9213435603a051051d881701f841b79a8/src/crankshaft/hydrogen.cc
[add] https://crrev.com/01199dc9213435603a051051d881701f841b79a8/test/mjsunit/regress/regress-678917.js

Please merge your change to M57 branch 2987 before 5:00 PM PT, Monday (02/06/) so we can pick it up for next Beta release. Thank you.
I believe I did merge it, see #18.
Labels: -Merge-Approved-57
Labels: -reward-topanel reward-0
Hi gksgudtjr456@ - I'm sorry to say the panel took a look at this and decided not to award noting that the CHECK means there's no security implication.
Labels: -Hotlist-Merge-Approved
Labels: Release-0-57
Labels: -Release-0-57 Release-0-M57
Project Member

Comment 26 by sheriffbot@chromium.org, May 4 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment