New issue
Advanced search Search tips

Issue 682570 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

!escape_analysis_->IsVirtual(node) in escape-analysis-reducer.cc

Project Member Reported by ClusterFuzz, Jan 19 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4772992665255936

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !escape_analysis_->IsVirtual(node) in escape-analysis-reducer.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 40858:40859

Minimized Testcase (0.16 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94rr1SUFNNZ1zjg76m2cNsyBPVE4n5rzqdzVhhJ_fYnrUTmmdlluRKIuRdZnymnJL1WO4ED-Sw_pZCpEHcTApj1cK9fivd1DTR2EwfN_mzWE8RRDLx6YeFEgKNzTzJ8eVvuwYit1Utiwr80dN14ML98CfT2EiVcuY-58NVaHMxvWBVrPOxkfGBR262T_9RGQYnCnBcnTM7eqaenIRnr1ONLNIHL8k0xUyXIfojcADXgxT2lqKeV1qXM2yF4D51GgDHoItBJfRKzH6Av3cnD9AXYWbO_rmV0RWOLyR8_BsB_VLd-z6Rcaakk2qFiPASjKX90xhemo69F4nSwGlXAHcmErtjv9X03BsE6rBEKAY52bLWhxaI?testcase_id=4772992665255936
var __v_0 = {};
__v_0 = {};
function __f_2() {
  var __v_2 = {b: -1.5};
    __v_0.b = 1;
0 <= __v_2.b;
}
__f_2();
__f_2();
%OptimizeFunctionOnNextCall(__f_2);
__f_2();


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: jarin@chromium.org mstarzinger@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>Compiler
Owner: tebbi@chromium.org
Status: Assigned (was: Untriaged)
Seems to reproduce on 32-bit architectures only (i.e. yes on ia32 and arm, no on x64).
Project Member

Comment 2 by bugdroid1@chromium.org, Jan 30 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/8b6fa9d519fb4af611d91cc2c896532147ea0bda

commit 8b6fa9d519fb4af611d91cc2c896532147ea0bda
Author: tebbi <tebbi@chromium.org>
Date: Mon Jan 30 11:51:22 2017

[turbofan] escape analysis reducer no longer confused by TypeGuards it introduced itself

R=bmeurer@chromium.org

BUG= chromium:682570 

Review-Url: https://codereview.chromium.org/2664683003
Cr-Commit-Position: refs/heads/master@{#42769}

[modify] https://crrev.com/8b6fa9d519fb4af611d91cc2c896532147ea0bda/src/compiler/escape-analysis-reducer.cc
[add] https://crrev.com/8b6fa9d519fb4af611d91cc2c896532147ea0bda/test/mjsunit/compiler/escape-analysis-12.js

Comment 3 by tebbi@chromium.org, Jan 30 2017

Labels: -Type-Bug Merge-Request-57 Type-Bug-Security
Status: Fixed (was: Assigned)

Comment 4 by tebbi@chromium.org, Jan 30 2017

The repro leads to a read from uninitialized memory.
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 31 2017

Labels: -Merge-Request-57 Hotlist-Merge-Approved Merge-Approved-57
Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Jan 31 2017

Labels: Restrict-View-SecurityNotify

Comment 7 by gov...@chromium.org, Jan 31 2017

Please merge your change to M57 branch 2987 ASAP (latest before 5:00 PM PT on Wednesday, 02/01/17) so we can pick it up for M57 Beta promotion release this week. Thank you.

Comment 8 by tebbi@chromium.org, Feb 1 2017

Cc: bmeu...@chromium.org
Project Member

Comment 9 by bugdroid1@chromium.org, Feb 1 2017

Labels: merge-merged-5.7
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b1ffba35975b41a0db0da26fc469c4759499c405

commit b1ffba35975b41a0db0da26fc469c4759499c405
Author: tebbi <tebbi@chromium.org>
Date: Wed Feb 01 11:34:15 2017

Merged: [turbofan] escape analysis reducer no longer confused by TypeGuards it introduced itself

Revision: 8b6fa9d519fb4af611d91cc2c896532147ea0bda

BUG= chromium:682570 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2670513002
Cr-Commit-Position: refs/branch-heads/5.7@{#80}
Cr-Branched-From: 975e9a320b6eaf9f12280c35df98e013beb8f041-refs/heads/5.7.492@{#1}
Cr-Branched-From: 8d76f0e3465a84bbf0bceab114900fbe75844e1f-refs/heads/master@{#42426}

[modify] https://crrev.com/b1ffba35975b41a0db0da26fc469c4759499c405/src/compiler/escape-analysis-reducer.cc
[add] https://crrev.com/b1ffba35975b41a0db0da26fc469c4759499c405/test/mjsunit/compiler/escape-analysis-12.js

Labels: -Merge-Approved-57
Per comment #9, this is already merged to M57. Hence, removing "Merge-Approved-57" label. 
Labels: M-57 Security_Impact-Beta
Assuming this affects 57 only. Please correct me if this is wrong.
Project Member

Comment 12 by sheriffbot@chromium.org, May 9 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment