Issue 683667 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	ishell@chromium.org
Closed:	Mar 2017
Cc:	ifratric@google.com hablich@chromium.org
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Hotlist-Merge-Review Stability-Crash Reproducible Clusterfuzz M-57 NodeJS-Backport-Rejected Test-Predator-Wrong merge-merged-5.7 merge-merged-5.8

!field_type->NowStable() || field_type->NowContains(value) || (!FLAG_use_allocat

Project Member Reported by ClusterFuzz, Jan 22 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4616822151446528

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !field_type->NowStable() || field_type->NowContains(value) || (!FLAG_use_allocat
  v8::internal::JSObject::JSObjectVerify
  v8::internal::Object::ObjectVerify
  v8::internal::NewSpace::Verify
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=441524:441984

Minimized Testcase (1.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97XGisoMwJsKPjjKO_CTlX2IZyA4ywaR23vbMwheVai3QgsHr8TcDIm7qpCbCWzobOP_SejrWOvx0b-1p9YWHRR25dONqCuPjDfW-OHzDc6iTh-rA0Ia6EJuxajkKyXRrSWCgvSXA0rjZZwIiAKqRxwQYM9rS1kLgzjnMlhz3ota42s8IQd-rSxO8pPKjvWEQEyO7xhWkh7Ee8iJnL3if1SGgnUnRFyx1PudM5Ktr2eUa59pNBvYWiFwvgZ3s10QqflyoEl5r5s9yR7Br3HUPy_mV-1mrNne_-WjJRJtKccsyvud0fX4n8wctPV89pvqD3B1-3iJHCKXIj8uK6S6TT4kCFkRhRtLU_hjZwpoJWsNG1IosY?testcase_id=4616822151446528

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Jan 23 2017

Components: Blink>JavaScript

Comment 2 by mummare...@chromium.org, Jan 26 2017

Labels: Test-Predator-Wrong M-57
Owner: ishell@chromium.org
Status: Assigned (was: Untriaged)

As per  issue 670154 , assigning to ishell@. could you please take a look?
Thank you.

Comment 3 by ishell@chromium.org, Feb 28 2017

Status: Started (was: Assigned)

Project Member

Comment 4 by bugdroid1@chromium.org, Feb 28 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/1c7f83980e3b29a25bb36cc54be56d3af997e166

commit 1c7f83980e3b29a25bb36cc54be56d3af997e166
Author: Igor Sheludko <ishell@chromium.org>
Date: Tue Feb 28 17:05:51 2017

[runtime] Mark old JSGlobalProxy's map as unstable when an iframe navigates away.

This CL also introduces Realm.navigate(i).

BUG= chromium:683667 

Change-Id: I9227292ea3a575f34367e82fc6297d234d3eecae
Reviewed-on: https://chromium-review.googlesource.com/447638
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43494}
[modify] https://crrev.com/1c7f83980e3b29a25bb36cc54be56d3af997e166/src/d8.cc
[modify] https://crrev.com/1c7f83980e3b29a25bb36cc54be56d3af997e166/src/d8.h
[modify] https://crrev.com/1c7f83980e3b29a25bb36cc54be56d3af997e166/src/factory.cc
[modify] https://crrev.com/1c7f83980e3b29a25bb36cc54be56d3af997e166/src/objects.h
[add] https://crrev.com/1c7f83980e3b29a25bb36cc54be56d3af997e166/test/mjsunit/regress/regress-crbug-683667.js

Comment 5 by ishell@chromium.org, Mar 1 2017

Labels: Merge-Request-57
Status: Fixed (was: Started)

Project Member

Comment 6 by sheriffbot@chromium.org, Mar 1 2017

Labels: -Merge-Request-57 Hotlist-Merge-Review Merge-Review-57

This bug requires manual review: We are only 12 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by gov...@chromium.org, Mar 1 2017

Cc: hablich@chromium.org

+hablich@ for M57 merge review. Please note we're VERY close to M57 stable promotion for Desktop.

Project Member

Comment 8 by ClusterFuzz, Mar 1 2017

ClusterFuzz has detected this issue as fixed in range 453698:453774.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4616822151446528

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !field_type->NowStable() || field_type->NowContains(value) || (!FLAG_use_allocat
  v8::internal::JSObject::JSObjectVerify
  v8::internal::Object::ObjectVerify
  v8::internal::NewSpace::Verify
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=441524:441984
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=453698:453774

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97XGisoMwJsKPjjKO_CTlX2IZyA4ywaR23vbMwheVai3QgsHr8TcDIm7qpCbCWzobOP_SejrWOvx0b-1p9YWHRR25dONqCuPjDfW-OHzDc6iTh-rA0Ia6EJuxajkKyXRrSWCgvSXA0rjZZwIiAKqRxwQYM9rS1kLgzjnMlhz3ota42s8IQd-rSxO8pPKjvWEQEyO7xhWkh7Ee8iJnL3if1SGgnUnRFyx1PudM5Ktr2eUa59pNBvYWiFwvgZ3s10QqflyoEl5r5s9yR7Br3HUPy_mV-1mrNne_-WjJRJtKccsyvud0fX4n8wctPV89pvqD3B1-3iJHCKXIj8uK6S6TT4kCFkRhRtLU_hjZwpoJWsNG1IosY?testcase_id=4616822151446528


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 9 by hablich@chromium.org, Mar 1 2017

Labels: -Merge-Review-57 Merge-Approved-58 Merge-Approved-57

This also needs to be merged to 5.8 when it is cut tomorrow.

Comment 10 by mummare...@chromium.org, Mar 1 2017

If possible, could you please merge your change to M57 branch 2987 by 5:00 PM PT tomorrow, Thursday (03/02).
Thank you.

Project Member

Comment 11 by bugdroid1@chromium.org, Mar 2 2017

Labels: merge-merged-5.7

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/74e054db7f051a0eefb9072618d4778a81963e9f

commit 74e054db7f051a0eefb9072618d4778a81963e9f
Author: ishell@chromium.org <ishell@chromium.org>
Date: Thu Mar 02 09:41:35 2017

Merged: [runtime] Mark old JSGlobalProxy's map as unstable when an iframe navigates away.

Revision: 1c7f83980e3b29a25bb36cc54be56d3af997e166

BUG= chromium:683667 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=verwaest@chromium.org

Review-Url: https://codereview.chromium.org/2724253003 .
Cr-Commit-Position: refs/branch-heads/5.7@{#136}
Cr-Branched-From: 975e9a320b6eaf9f12280c35df98e013beb8f041-refs/heads/5.7.492@{#1}
Cr-Branched-From: 8d76f0e3465a84bbf0bceab114900fbe75844e1f-refs/heads/master@{#42426}

[modify] https://crrev.com/74e054db7f051a0eefb9072618d4778a81963e9f/src/d8.cc
[modify] https://crrev.com/74e054db7f051a0eefb9072618d4778a81963e9f/src/d8.h
[modify] https://crrev.com/74e054db7f051a0eefb9072618d4778a81963e9f/src/factory.cc
[modify] https://crrev.com/74e054db7f051a0eefb9072618d4778a81963e9f/src/objects.h
[add] https://crrev.com/74e054db7f051a0eefb9072618d4778a81963e9f/test/mjsunit/regress/regress-crbug-683667.js

Project Member

Comment 12 by bugdroid1@chromium.org, Mar 2 2017

Labels: merge-merged-5.8

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f81c002f5db86eb407024d27c892d211cdf07c85

commit f81c002f5db86eb407024d27c892d211cdf07c85
Author: ishell@chromium.org <ishell@chromium.org>
Date: Thu Mar 02 12:51:18 2017

Merged: [runtime] Mark old JSGlobalProxy's map as unstable when an iframe navigates away.

Revision: 1c7f83980e3b29a25bb36cc54be56d3af997e166

BUG= chromium:683667 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=verwaest@chromium.org

Review-Url: https://codereview.chromium.org/2725153002 .
Cr-Commit-Position: refs/branch-heads/5.8@{#6}
Cr-Branched-From: eda659cc5e307f20ac1ad542ba12ab32eaf4c7ef-refs/heads/5.8.283@{#1}
Cr-Branched-From: 4310cd02d2160b1457baed81a2f40063eb264a21-refs/heads/master@{#43429}

[modify] https://crrev.com/f81c002f5db86eb407024d27c892d211cdf07c85/src/d8.cc
[modify] https://crrev.com/f81c002f5db86eb407024d27c892d211cdf07c85/src/d8.h
[modify] https://crrev.com/f81c002f5db86eb407024d27c892d211cdf07c85/src/factory.cc
[modify] https://crrev.com/f81c002f5db86eb407024d27c892d211cdf07c85/src/objects.h
[add] https://crrev.com/f81c002f5db86eb407024d27c892d211cdf07c85/test/mjsunit/regress/regress-crbug-683667.js

Comment 13 by hablich@chromium.org, Mar 2 2017

Labels: -Merge-Approved-57 -Merge-Approved-58

Comment 14 by ishell@chromium.org, Mar 6 2017

 Issue 697711  has been merged into this issue.

Comment 15 by ofrobots@google.com, May 12 2017

Labels: NodeJS-Backport-Rejected

Not needed for Node LTS.

►

Issue 683667 link

Issue metadata

!field_type->NowStable() || field_type->NowContains(value) || (!FLAG_use_allocat

Issue description

Comment 1 by msrchandra@chromium.org, Jan 23 2017

Comment 1 Deleted

Comment 2 by mummare...@chromium.org, Jan 26 2017

Comment 2 Deleted

Comment 3 by ishell@chromium.org, Feb 28 2017

Comment 3 Deleted

Comment 4 by bugdroid1@chromium.org, Feb 28 2017

Comment 4 Deleted

Comment 5 by ishell@chromium.org, Mar 1 2017

Comment 5 Deleted

Comment 6 by sheriffbot@chromium.org, Mar 1 2017

Comment 6 Deleted

Comment 7 by gov...@chromium.org, Mar 1 2017

Comment 7 Deleted

Comment 8 by ClusterFuzz, Mar 1 2017

Comment 8 Deleted

Comment 9 by hablich@chromium.org, Mar 1 2017

Comment 9 Deleted

Comment 10 by mummare...@chromium.org, Mar 1 2017

Comment 10 Deleted

Comment 11 by bugdroid1@chromium.org, Mar 2 2017

Comment 11 Deleted

Comment 12 by bugdroid1@chromium.org, Mar 2 2017

Comment 12 Deleted

Comment 13 by hablich@chromium.org, Mar 2 2017

Comment 13 Deleted

Comment 14 by ishell@chromium.org, Mar 6 2017

Comment 14 Deleted

Comment 15 by ofrobots@google.com, May 12 2017

Comment 15 Deleted

Sign in to add a comment