New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 680372 link

Starred by 1 user
Status: WontFix
Owner:
mlippautz@chromium.org
Closed: Jan 2017
Cc:
jochen@chromium.org
machenb...@chromium.org
jkummerow@chromium.org
hablich@chromium.org
rossberg@chromium.org
ishell@chromium.org
marja@chromium.org
hpayer@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

crash with sig11 in v8/src/heap/spaces.h:438:38

Reported by cdsrc2...@gmail.com, Jan 12 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Steps to reproduce the problem:
1.The chrome.exe startup parameter is
        chrome.exe --js-flags="--expose-gc --allow-natives-syntax" --no-sandbox --disable-seccomp-sandbox --allow-file-access-from-files --force-renderer-accessibility
    2.Access js page to trigger a crash.

What is the expected behavior?

What went wrong?
win7 chrome:
=================================================================
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll - 
    eax=00000000 ebx=0018e6f8 ecx=00000000 edx=00000000 esi=59045fbb edi=0018e3d8
    eip=568de489 esp=0018e2e8 ebp=0018e3a8 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
    chrome_child!ovly_debug_event+0x2fcfa9:
    568de489 8b581c          mov     ebx,dword ptr [eax+1Ch] ds:002b:0000001c=????????

ASAN:DEADLYSIGNAL
=================================================================
==27037==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f75e3872ee9 bp 0x7fff474000d0 sp 0x7fff47400000 T0)
==27037==The signal is caused by a READ memory access.
==27037==Hint: address points to the zero page.
    #0 0x55f06ccefb78 in heap ./out/asan/../../v8/src/heap/spaces.h:438:38
    #1 0x55f06ccefb78 in GetHeap ./out/asan/../../v8/src/objects-inl.h:1439:0
    #2 0x55f06ccefb78 in GetIsolate ./out/asan/../../v8/src/objects-inl.h:1446:0
    #3 0x55f06ccefb78 in Handle ./out/asan/../../v8/src/handles.h:99:0
    #4 0x55f06ccefb78 in ParseFunction ./out/asan/../../v8/src/parsing/parser.cc:770:0
    #5 0x55f06cdc56d9 in ParseFunction ./out/asan/../../v8/src/parsing/parsing.cc:49:19
    #6 0x55f06c01072c in GetBaselineCode ./out/asan/../../v8/src/compiler.cc:857:8
    #7 0x55f06c00fad1 in CompileBaseline ./out/asan/../../v8/src/compiler.cc:1095:8
    ...

Did this work before? N/A 

Chrome version: 55.0.2883.87  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version:
chrome.zip
3.5 KB Download

Comment 1 by cdsrc2...@gmail.com, Jan 12 2017 

VERSION
    D8 Version 5.7.339
    Chrome Version :55.0.2883.87 m (stable)
    Operating System: Windows 7

Comment 2 by aarya@google.com, Jan 17 2017

Cc: ishell@chromium.org jkummerow@chromium.org hablich@chromium.org machenb...@chromium.org
Components: Blink>JavaScript
Owner: rossberg@chromium.org
Status: Assigned (was: Unconfirmed)
Assigning to v8 sheriff to triage.

Comment 3 by machenb...@chromium.org, Jan 17 2017

Components: Blink>JavaScript>GC

Comment 4 by hablich@chromium.org, Jan 17 2017

Cc: rossberg@chromium.org
Owner: mlippautz@chromium.org
Assigning to memory sheriff.

Comment 5 by mlippautz@chromium.org, Jan 17 2017

Cc: jochen@chromium.org marja@chromium.org
Looks like we try to access a null page to get the heap. The only way I see this happening is when we try to get the heap from a null HeapObject.

Maybe script source is null? Anyway, I will start investigating.

Comment 6 by jochen@chromium.org, Jan 17 2017

Status: WontFix (was: Assigned)
eval is a builtin, so we can't compile that. The native method you use, however, marks the function for recompilation anyways, which crashes.

Since this is a test-only method that is not exposed in production, this bug is WontFix
Project Member

Comment 7 by sheriffbot@chromium.org, Apr 25 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment