Issue metadata
Sign in to add a comment
|
Making long string occurs crash
Reported by
gksgudtj...@gmail.com,
Jan 6 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Steps to reproduce the problem: 1. Make a small string 2. Add a small chunk to result of 1. many times 3. It occurs crash What is the expected behavior? What went wrong? It usually occurs crash because of dereference [0x13] Sometimes it makes eip to zero. I attached dump. Did this work before? N/A Chrome version: 55.0.2883.87 Channel: stable OS Version: 10.0 Flash Version: Shockwave Flash 24.0 r0
,
Jan 6 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4656970901749760
,
Jan 6 2017
Decoded minidump from 54.0.2840.99. Thread 0 ( * CRASHED * EXCEPTION_ACCESS_VIOLATION_EXEC @ 0x0 ) 0 [ + 0x0] 1 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\v8\src\frames.cc:1222] v8::internal::OptimizedFrame::Summarize(v8::internal::List<v8::internal::FrameSummary,v8::internal::FreeStoreAllocationPolicy> *,v8::internal::FrameSummary::Mode) 2 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\v8\src\isolate.cc:479] v8::internal::Isolate::CaptureSimpleStackTrace(v8::internal::Handle<v8::internal::JSReceiver>,v8::internal::FrameSkipMode,v8::internal::Handle<v8::internal::Object>) 3 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\v8\src\isolate.cc:585] v8::internal::Isolate::CaptureAndSetSimpleStackTrace(v8::internal::Handle<v8::internal::JSReceiver>,v8::internal::FrameSkipMode,v8::internal::Handle<v8::internal::Object>) 4 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\v8\src\messages.cc:777] v8::internal::ErrorUtils::Construct(v8::internal::Isolate *,v8::internal::Handle<v8::internal::JSFunction>,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,v8::internal::FrameSkipMode,v8::internal::Handle<v8::internal::Object>,bool) 5 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\v8\src\messages.cc:901] v8::internal::ErrorUtils::MakeGenericError(v8::internal::Isolate *,v8::internal::Handle<v8::internal::JSFunction>,int,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,v8::internal::FrameSkipMode) 6 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\v8\src\factory.cc:1167] v8::internal::Factory::NewError(v8::internal::Handle<v8::internal::JSFunction>,v8::internal::MessageTemplate::Template,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>) 7 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\v8\src\factory.cc:1209] v8::internal::Factory::NewRangeError(v8::internal::MessageTemplate::Template,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>) 8 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\v8\src\factory.h:580] v8::internal::Factory::NewInvalidStringLengthError() 9 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\v8\src\factory.cc:413] v8::internal::Factory::NewRawOneByteString(int,v8::internal::PretenureFlag) 10 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\v8\src\objects.cc:2129] v8::internal::String::SlowFlatten(v8::internal::Handle<v8::internal::ConsString>,v8::internal::PretenureFlag) 11 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\v8\src\objects-inl.h:3628] v8::internal::String::Flatten(v8::internal::Handle<v8::internal::String>,v8::internal::PretenureFlag) 12 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\v8\src\runtime\runtime-strings.cc:350] v8::internal::Runtime_StringCharCodeAtRT(int,v8::internal::Object * *,v8::internal::Isolate *) 13 [ + 0xce0bb86] 14 [ + 0xce67266] 15 [ + 0xce64a53] 16 [ + 0xce3e83e] 17 [ + 0xce27878] 18 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\v8\src\execution.cc:143] v8::internal::`anonymous namespace'::Invoke 19 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\v8\src\execution.cc:178] v8::internal::Execution::Call(v8::internal::Isolate *,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,int,v8::internal::Handle<v8::internal::Object> * const) 20 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\v8\src\api.cc:1845] v8::Script::Run(v8::Local<v8::Context>) 21 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\bindings\core\v8\v8scriptrunner.cpp:418] blink::V8ScriptRunner::runCompiledScript(v8::Isolate *,v8::Local<v8::Script>,blink::ExecutionContext *) 22 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\bindings\core\v8\scriptcontroller.cpp:149] blink::ScriptController::executeScriptAndReturnValue(v8::Local<v8::Context>,blink::ScriptSourceCode const &,blink::AccessControlStatus) 23 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\bindings\core\v8\scriptcontroller.cpp:397] blink::ScriptController::evaluateScriptInMainWorld(blink::ScriptSourceCode const &,blink::AccessControlStatus,blink::ScriptController::ExecuteScriptPolicy) 24 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\bindings\core\v8\scriptcontroller.cpp:374] blink::ScriptController::executeScriptInMainWorld(blink::ScriptSourceCode const &,blink::AccessControlStatus) 25 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\core\dom\scriptloader.cpp:431] blink::ScriptLoader::executeScript(blink::ScriptSourceCode const &) 26 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\core\dom\scriptloader.cpp:276] blink::ScriptLoader::prepareScript(WTF::TextPosition const &,blink::ScriptLoader::LegacyTypeSupport) 27 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\core\html\parser\htmlscriptrunner.cpp:429] blink::HTMLScriptRunner::runScript(blink::Element *,WTF::TextPosition const &) 28 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\core\html\parser\htmlscriptrunner.cpp:282] blink::HTMLScriptRunner::execute(blink::Element *,WTF::TextPosition const &) 29 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp:272] blink::HTMLDocumentParser::runScriptsForPausedTreeBuilder() 30 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp:517] blink::HTMLDocumentParser::processTokenizedChunkFromBackgroundParser(std::unique_ptr<blink::HTMLDocumentParser::TokenizedChunk,std::default_delete<blink::HTMLDocumentParser::TokenizedChunk> >) 31 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp:574] blink::HTMLDocumentParser::pumpPendingSpeculations() 32 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\base\callback.h:388] base::Callback<void ,1>::Run() 33 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\platform\scheduler\cancellabletaskfactory.cpp:27] blink::CancellableTaskFactory::CancellableTask::run() 34 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\platform\scheduler\child\web_task_runner_impl.cc:72] blink::scheduler::WebTaskRunnerImpl::runTask(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >) 35 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\base\bind_internal.h:324] base::internal::Invoker<base::internal::BindState<void (*)(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >),base::internal::PassedWrapper<std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > >,void >::Run(base::internal::BindStateBase *) 36 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\base\callback.h:388] base::Callback<void ,1>::Run() 37 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\platform\scheduler\base\task_queue_manager.cc:319] blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue *,blink::scheduler::internal::TaskQueueImpl::Task *) 38 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\third_party\webkit\source\platform\scheduler\base\task_queue_manager.cc:218] blink::scheduler::TaskQueueManager::DoWork(base::TimeTicks,bool) 39 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\base\bind_internal.h:324] base::internal::Invoker<base::internal::BindState<void ( blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void >::Run(base::internal::BindStateBase *) 40 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\base\callback.h:388] base::Callback<void ,1>::Run() 41 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\base\message_loop\message_loop.cc:489] base::MessageLoop::RunTask(base::PendingTask const &) 42 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\base\message_loop\message_loop.cc:621] base::MessageLoop::DoWork() 43 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\base\message_loop\message_pump_default.cc:36] base::MessagePumpDefault::Run(base::MessagePump::Delegate *) 44 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\base\message_loop\message_loop.cc:452] base::MessageLoop::RunHandler() 45 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\base\run_loop.cc:36] base::RunLoop::Run() 46 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\content\renderer\renderer_main.cc:198] content::RendererMain(content::MainFunctionParams const &) 47 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\content\app\content_main_runner.cc:418] content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 48 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\content\app\content_main_runner.cc:786] content::ContentMainRunnerImpl::Run() 49 [chrome_child.dll - c:\b\build\slave\win-pgo\build\src\content\app\content_main.cc:20] content::ContentMain(content::ContentMainParams const &) 50 [chrome.exe - c:\b\build\slave\win-pgo\build\src\chrome\app\main_dll_loader_win.cc:182] MainDllLoader::Launch(HINSTANCE__ *) 51 [chrome.exe - c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_exe_main_win.cc:253] wWinMain 52 [chrome.exe - f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:255] __scrt_common_main_seh 53 [KERNEL32.DLL - 0x162c4] BaseThreadInitThunk 54 [ntdll.dll - 0x60609] __RtlUserThreadStart 55 [ntdll.dll - 0x605d4] _RtlUserThreadStart
,
Jan 9 2017
I suppose this is expected because it simply goes OOM.
,
Jan 9 2017
looks like we hit this CHECK: CHECK_EQ(opcode, Translation::STACK_SLOT); which implies a bug in deopt
,
Jan 11 2017
,
Jan 12 2017
,
Jan 12 2017
,
Jan 20 2017
jarin: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 21 2017
This is not a deoptimizer bug, it is a bug in the StringAdd hydrogen stub - it does not seem to check for reaching maximum length when constructing a cons-string, and thus constructs an invalid string. The bug only triggers with full-code (which uses the traditional binary op IC). In ignition, we use a TF stub for string addition, and that one does the appropriate checks.
,
Jan 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/dd310b434181902a8e8a93890dd634a2e8cfc825 commit dd310b434181902a8e8a93890dd634a2e8cfc825 Author: jarin <jarin@chromium.org> Date: Tue Jan 24 09:35:56 2017 [crankshaft] Fix string addition to check for max length of cons string. BUG= chromium:678917 Review-Url: https://codereview.chromium.org/2653623002 Cr-Commit-Position: refs/heads/master@{#42621} [modify] https://crrev.com/dd310b434181902a8e8a93890dd634a2e8cfc825/src/crankshaft/hydrogen.cc [add] https://crrev.com/dd310b434181902a8e8a93890dd634a2e8cfc825/test/mjsunit/regress/regress-678917.js
,
Jan 25 2017
,
Jan 25 2017
,
Jan 30 2017
,
Feb 3 2017
,
Feb 3 2017
Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 3 2017
Please merge your change to M57 branch 2987 before 5:00 PM Pt, Monday (02/06/) so we can pick it up for next week Beta release. Thank you.
,
Feb 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/01199dc9213435603a051051d881701f841b79a8 commit 01199dc9213435603a051051d881701f841b79a8 Author: Jaroslav Sevcik <jarin@chromium.org> Date: Sat Feb 04 21:53:46 2017 Merged: [crankshaft] Fix string addition to check for max length of cons string. Revision: dd310b434181902a8e8a93890dd634a2e8cfc825 BUG= chromium:678917 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true TBR=bmeurer@chromium.org Review-Url: https://codereview.chromium.org/2670383004 . Cr-Commit-Position: refs/branch-heads/5.7@{#88} Cr-Branched-From: 975e9a320b6eaf9f12280c35df98e013beb8f041-refs/heads/5.7.492@{#1} Cr-Branched-From: 8d76f0e3465a84bbf0bceab114900fbe75844e1f-refs/heads/master@{#42426} [modify] https://crrev.com/01199dc9213435603a051051d881701f841b79a8/src/crankshaft/hydrogen.cc [add] https://crrev.com/01199dc9213435603a051051d881701f841b79a8/test/mjsunit/regress/regress-678917.js
,
Feb 6 2017
Please merge your change to M57 branch 2987 before 5:00 PM PT, Monday (02/06/) so we can pick it up for next Beta release. Thank you.
,
Feb 6 2017
I believe I did merge it, see #18.
,
Feb 6 2017
,
Feb 13 2017
Hi gksgudtjr456@ - I'm sorry to say the panel took a look at this and decided not to award noting that the CHECK means there's no security implication.
,
Feb 14 2017
,
Mar 6 2017
,
Mar 6 2017
,
May 4 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jan 6 2017