Issue 679947 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 680938
Owner:	gdeepti@chromium.org
Closed:	Jan 2017
Cc:	jkummerow@chromium.org hablich@chromium.org ishell@chromium.org titzer@chromium.org
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	All
Pri:	1
Type:	Bug-Security
Security_Severity-Medium Security_Impact-Head allpublic M-57

Security: UNKNOWN in v8::internal::wasm::GrowWebAssemblyMemory

Reported by chromium...@gmail.com, Jan 11 2017

Issue description

VERSION
Chrome Version:  57.0.2977.0 canary (64-bit)
Operating System: Windows 7

REPRODUCTION CASE
(You need to enable experimental WebAssembly at chrome://flags/#enable-webassembly)


Backtrace:
        v8::internal::wasm::GrowWebAssemblyMemory [0x11BD7B8F+671]
        v8::`anonymous namespace'::WebAssemblyMemoryGrow [0x11BA3C1D+1021] (C:\b\c\b\win_asan_release\src\v8\src\wasm\wasm-js.cc:533)
        v8::internal::FunctionCallbackArguments::Call [0x0FA8DBEF+1151] (C:\b\c\b\win_asan_release\src\v8\src\api-arguments.cc:19)
        v8::internal::`anonymous namespace'::HandleApiCallHelper<0> [0x0FD3DFCB+3675] (C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:106)
        v8::internal::Builtin_Impl_HandleApiCall [0x0FD39EE2+1266] (C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:135)
        v8::internal::Builtin_HandleApiCall [0x0FD39038+232] (C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:123)
        v8::internal::`anonymous namespace'::Invoke [0x10A6C9BE+2078] (C:\b\c\b\win_asan_release\src\v8\src\execution.cc:139)
        base::HistogramBase::FindAndRunCallback [0x128B3CA0+352] (C:\b\c\b\win_asan_release\src\base\metrics\histogram_base.cc:157)
        v8::GlobalValueMap<WTF::StringImpl *,v8::String,blink::StringCacheMapTraits>::Set [0x15467E6C+150] (C:\b\c\b\win_asan_release\src\v8\include\v8-util.h:483)
        v8::internal::Execution::Call [0x10A6BF45+693] (C:\b\c\b\win_asan_release\src\v8\src\execution.cc:176)
        v8::Script::Run [0x0FABBB77+1895]
        blink::V8ScriptRunner::runCompiledScript [0x1540BFED+1413]
        blink::ScriptController::executeScriptAndReturnValue [0x153ED440+1132]
        blink::ScriptController::evaluateScriptInMainWorld [0x153F0BA8+416]
        blink::ScriptController::executeScriptInMainWorld [0x153F10F2+198]
        blink::ScriptLoader::doExecuteScript [0x1B5E44D9+4717] (C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\dom\ScriptLoader.cpp:548)
        blink::ScriptLoader::executeScript [0x1B5E2706+48] (C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\dom\ScriptLoader.cpp:433)
        blink::ScriptLoader::prepareScript [0x1B5DCF04+3582] (C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\dom\ScriptLoader.cpp:319)
        blink::HTMLParserScriptRunner::processScriptElementInternal [0x16B90876+426] (C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\html\parser\HTMLParse
rScriptRunner.cpp:491)
        blink::HTMLParserScriptRunner::processScriptElement [0x16B90252+620] (C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\html\parser\HTMLParserScriptR
unner.cpp:327)
        blink::HTMLDocumentParser::runScriptsForPausedTreeBuilder [0x16B32592+256]
        blink::HTMLDocumentParser::processTokenizedChunkFromBackgroundParser [0x16B373ED+2377]
        blink::HTMLDocumentParser::pumpPendingSpeculations [0x16B31BD7+1101]
        blink::TaskHandle::Runner::run [0x14FAF67E+80]
        base::internal::Invoker<base::internal::BindState<void (blink::TaskHandle::Runner::*)(const blink::TaskHandle &) __attribute__((thiscall)),base::WeakPtr<blink::
TaskHandle::Runner>,blink::TaskHandle>,void ()>::Run [0x14FB03ED+269]
        base::debug::TaskAnnotator::RunTask [0x12A1C4A6+1046] (C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50)
        blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue [0x1515EA1A+3102]
        blink::scheduler::TaskQueueManager::DoWork [0x1515A7D2+1472] (C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager
.cc:242)
        base::internal::Invoker<base::internal::BindState<void (blink::scheduler::TaskQueueManager::*)(base::TimeTicks, bool) __attribute__((thiscall)),base::WeakPtr<bl
ink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void ()>::Run [0x15164309+379]
        base::debug::TaskAnnotator::RunTask [0x12A1C4A6+1046] (C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50)
        base::MessageLoop::RunTask [0x128C9590+2528]
        base::MessageLoop::DeferOrRunPendingTask [0x128CA3D7+103]
        base::MessageLoop::DoWork [0x128CB6E7+1239]
        base::MessagePumpDefault::Run [0x12A22A8B+395] (C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:33)
        base::MessageLoop::RunHandler [0x128C85FA+330]
        base::RunLoop::Run [0x1294833E+462]
        content::RendererMain [0x18B6482D+1181] (C:\b\c\b\win_asan_release\src\content\renderer\renderer_main.cc:200)
        content::RunNamedProcessTypeMain [0x127591A0+486] (C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:416)
        content::ContentMainRunnerImpl::Run [0x1275A83D+587] (C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:793)
        content::ContentMain [0x12758D79+117] (C:\b\c\b\win_asan_release\src\content\app\content_main.cc:20)
        ChromeMain [0x0F3611FF+511] (C:\b\c\b\win_asan_release\src\chrome\app\chrome_main.cc:112)
        MainDllLoader::Launch [0x00077BD4+702] (C:\b\c\b\win_asan_release\src\chrome\app\main_dll_loader_win.cc:173)
        main [0x00071944+2372] (C:\b\c\b\win_asan_release\src\chrome\app\chrome_exe_main_win.cc:262)
        __scrt_common_main_seh [0x0028606E+249] (f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253)
        BaseThreadInitThunk [0x75613677+18]
        RtlInitializeExceptionChain [0x775C9D72+99]
        RtlInitializeExceptionChain [0x775C9D45+54]
=================================================================
==4620==ERROR: AddressSanitizer: access-violation on unknown address 0x7ff80003 (pc 0x11bd7b8f bp 0x00a0b8ac sp 0x00a0b7e0 T0)
==4620==The signal is caused by a READ memory access.
==4620==*** WARNING: Failed to initialize DbgHelp!              ***
==4620==*** Most likely this means that the app is already      ***
==4620==*** using DbgHelp, possibly with incompatible flags.    ***
==4620==*** Due to technical reasons, symbolization might crash ***
==4620==*** or produce wrong results.                           ***
    #0 0x11bd7b8e  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x12877b8e)
    #1 0x11ba3c1c  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x12843c1c)
    #2 0xfa8dbee  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x1072dbee)
    #3 0xfd3dfca  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x109ddfca)
    #4 0xfd39ee1  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x109d9ee1)
    #5 0xfd39037  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x109d9037)
    #6 0x10a6c9bd  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x1170c9bd)
    #7 0x128b3c9f  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x13553c9f)
    #8 0x15467e6b  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x16107e6b)
    #9 0x10a6bf44  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x1170bf44)
    #10 0xfabbb76  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x1075bb76)
    #11 0x1540bfec  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x160abfec)
    #12 0x153ed43f  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x1608d43f)
    #13 0x153f0ba7  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x16090ba7)
    #14 0x153f10f1  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x160910f1)
    #15 0x1b5e44d8  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x1c2844d8)
    #16 0x1b5e2705  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x1c282705)
    #17 0x1b5dcf03  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x1c27cf03)
    #18 0x16b90875  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x17830875)
    #19 0x16b90251  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x17830251)
    #20 0x16b32591  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x177d2591)
    #21 0x16b373ec  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x177d73ec)
    #22 0x16b31bd6  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x177d1bd6)
    #23 0x14faf67d  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x15c4f67d)
    #24 0x14fb03ec  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x15c503ec)
    #25 0x12a1c4a5  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x136bc4a5)
    #26 0x1515ea19  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x15dfea19)
    #27 0x1515a7d1  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x15dfa7d1)
    #28 0x15164308  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x15e04308)
    #29 0x12a1c4a5  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x136bc4a5)
    #30 0x128c958f  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x1356958f)
    #31 0x128ca3d6  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x1356a3d6)
    #32 0x128cb6e6  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x1356b6e6)
    #33 0x12a22a8a  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x136c2a8a)
    #34 0x128c85f9  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x135685f9)
    #35 0x1294833d  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x135e833d)
    #36 0x18b6482c  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x1980482c)
    #37 0x1275919f  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x133f919f)
    #38 0x1275a83c  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x133fa83c)
    #39 0x12758d78  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x133f8d78)
    #40 0xf3611fe  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome_child.dll+0x100011fe)
    #41 0x77bd3  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome.exe+0x407bd3)
    #42 0x71943  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome.exe+0x401943)
    #43 0x28606d  (C:\Users\admin\Desktop\asan-win32-release-441524\chrome.exe+0x61606d)
    #44 0x75613676  (C:\Windows\syswow64\kernel32.dll+0x7dd73676)
    #45 0x775c9d71  (C:\Windows\SysWOW64\ntdll.dll+0x7dea9d71)

testcase.html
57 bytes View Download

Project Member

Comment 1 by ClusterFuzz, Jan 11 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5925698268299264

Comment 2 by dominickn@chromium.org, Jan 17 2017

Components: Blink>JavaScript

Comment 3 by aarya@google.com, Jan 17 2017

Cc: ishell@chromium.org jkummerow@chromium.org hablich@chromium.org
Owner: rossberg@chromium.org
Status: Assigned (was: Unconfirmed)

Assigning to the v8 sheriff for triage.

Comment 4 by aarya@google.com, Jan 17 2017

Labels: Security_Severity-Medium Security_Impact-Head OS-All Pri-1

Comment 5 by rossberg@chromium.org, Jan 17 2017

Cc: titzer@chromium.org
Owner: gdeepti@chromium.org

Project Member

Comment 6 by sheriffbot@chromium.org, Jan 17 2017

Labels: M-57

Project Member

Comment 7 by sheriffbot@chromium.org, Jan 17 2017

Labels: ReleaseBlock-Beta

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by gdeepti@chromium.org, Jan 18 2017

Status: Fixed (was: Assigned)

This refers to the same issue as - 
https://bugs.chromium.org/p/chromium/issues/detail?id=680938&can=1&q=owner%3Ame&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified

This has been fixed by - 
https://chromium.googlesource.com/v8/v8.git/+/6934db7ca7777db0799ec76b3fae811734e3c5c2

Verified to be fixed locally, marking as fixed.

Project Member

Comment 9 by sheriffbot@chromium.org, Jan 19 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 10 by hablich@chromium.org, Jan 20 2017

Mergedinto: 680938
Status: Duplicate (was: Fixed)

Comment 11 by awhalley@chromium.org, Jan 27 2017

Labels: -ReleaseBlock-Beta

Project Member

Comment 12 by sheriffbot@chromium.org, Apr 27 2017

Labels: -Restrict-View-SecurityNotify allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 679947 link

Issue metadata

Security: UNKNOWN in v8::internal::wasm::GrowWebAssemblyMemory

Issue description

Comment 1 by ClusterFuzz, Jan 11 2017

Comment 1 Deleted

Comment 2 by dominickn@chromium.org, Jan 17 2017

Comment 2 Deleted

Comment 3 by aarya@google.com, Jan 17 2017

Comment 3 Deleted

Comment 4 by aarya@google.com, Jan 17 2017

Comment 4 Deleted

Comment 5 by rossberg@chromium.org, Jan 17 2017

Comment 5 Deleted

Comment 6 by sheriffbot@chromium.org, Jan 17 2017

Comment 6 Deleted

Comment 7 by sheriffbot@chromium.org, Jan 17 2017

Comment 7 Deleted

Comment 8 by gdeepti@chromium.org, Jan 18 2017

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, Jan 19 2017

Comment 9 Deleted

Comment 10 by hablich@chromium.org, Jan 20 2017

Comment 10 Deleted

Comment 11 by awhalley@chromium.org, Jan 27 2017

Comment 11 Deleted

Comment 12 by sheriffbot@chromium.org, Apr 27 2017

Comment 12 Deleted

Sign in to add a comment