V8 correctness failure in configs: x64,ignition:x64,ignition_turbo |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6192476001140736 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_turbo Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: d02 Sanitizer: address (ASAN) Minimized Testcase (0.48 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96_PbUs6j8vXUsvjEWOV65KcS29gBJ6oJy3Pj8P9vh1LNI67Nzap83UYGjyusabSg5KufcmiigvmUx_oExUynHsNl96_n8vbZ1uDPHHKFfA4VQc-8kerC2UFcrm40E8DDQYl65xC3L-zwjVHsYYi533R_5yTdMN_3dZu5vkdATeeng7OJNYvytmpmW88o3T1mTKgsaLXG6URlKsGNTwWnk23Dc6T7D1lXE2ffKQ569I8Y3FZdkDVjVdp70Q2hOzk7kCR3l6Yip-Owpr6sYABYxj595yrNkoqMoYWWCU36kSxII4_t7B2aUiCrP1dbZ4fucmPs5ku3W5qDiv5ZC8xAnaJlr5jsAc1qfvO51pr-VJmcWVbAI?testcase_id=6192476001140736 try { } catch(e) {; } print("v8-foozzie source: /v8/test/mjsunit/regress/regress-3976.js"); __v_4 = (function() { return function() { }; })(); function __f_4() { return '"' + __v_4 + '"'; } function __f_3() { return '[{' + '"field1" : ' + __v_4() + ', "field2" : ' + __v_4() + '}]'; } function __f_5(n) { var __v_6 = '{'; for (var __v_3 = 0; __v_3 < n; __v_3++) { __v_6 += __f_4(); __v_6 += __f_3(); } return __v_6; } var __v_7 = __f_5(50000); JSON.parse(__v_7); Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 27 2017
Very surprising. I do think we care.
,
Jan 30 2017
The following patch brings the two cases in sync. But this looks too brittle for my taste, I am pretty sure I am missing some subtleties in the JSON parser. I think someone with a better understanding of that component needs to fix this.
--- a/src/json-parser.cc
+++ b/src/json-parser.cc
@@ -731,7 +731,11 @@ Handle<String> JsonParser<seq_one_byte>::ScanJsonString() {
return SlowScanJsonString<SeqOneByteString, uint8_t>(source_, beg_pos,
position_);
}
- if (c0 < 0x20) return Handle<String>::null();
+ if (c0 < 0x20) {
+ c0_ = c0;
+ position_ = position;
+ return Handle<String>::null();
+ }
running_hash = StringHasher::AddCharacterCore(running_hash,
static_cast<uint16_t>(c0));
position++;
,
Mar 7 2017
,
Mar 7 2017
When you're working on this, please also have a look if issue 698525 is a dupe.
,
Mar 7 2017
Issue 698525 has been merged into this issue.
,
Mar 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/fa7b88fddd837b31e194a98c6636473ed898c172 commit fa7b88fddd837b31e194a98c6636473ed898c172 Author: Igor Sheludko <ishell@chromium.org> Date: Thu Mar 09 12:28:17 2017 [json] Fix error reporting when parsing an internalized one-byte string. BUG= chromium:686010 Change-Id: I7bd4ab48f90a1013132bf037fd352ab55747189c Reviewed-on: https://chromium-review.googlesource.com/451377 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#43691} [modify] https://crrev.com/fa7b88fddd837b31e194a98c6636473ed898c172/src/json-parser.cc [modify] https://crrev.com/fa7b88fddd837b31e194a98c6636473ed898c172/src/objects-printer.cc [add] https://crrev.com/fa7b88fddd837b31e194a98c6636473ed898c172/test/mjsunit/json-errors.js
,
Mar 9 2017
,
Mar 9 2017
Woot! Thanks Igor for taking care of this!
,
Mar 10 2017
ClusterFuzz has detected this issue as fixed in range 43690:43691. Detailed report: https://clusterfuzz.com/testcase?key=6192476001140736 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_turbo Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: d02 Sanitizer: address (ASAN) Fixed: V8: 43690:43691 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96_PbUs6j8vXUsvjEWOV65KcS29gBJ6oJy3Pj8P9vh1LNI67Nzap83UYGjyusabSg5KufcmiigvmUx_oExUynHsNl96_n8vbZ1uDPHHKFfA4VQc-8kerC2UFcrm40E8DDQYl65xC3L-zwjVHsYYi533R_5yTdMN_3dZu5vkdATeeng7OJNYvytmpmW88o3T1mTKgsaLXG6URlKsGNTwWnk23Dc6T7D1lXE2ffKQ569I8Y3FZdkDVjVdp70Q2hOzk7kCR3l6Yip-Owpr6sYABYxj595yrNkoqMoYWWCU36kSxII4_t7B2aUiCrP1dbZ4fucmPs5ku3W5qDiv5ZC8xAnaJlr5jsAc1qfvO51pr-VJmcWVbAI?testcase_id=6192476001140736 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||
►
Sign in to add a comment |
||||
Comment 1 by machenb...@chromium.org
, Jan 27 2017Status: Available (was: Untriaged)
// PTAL. This is an example where JSON.parse throws different syntax errors in ignition/ignition_turbo. Do we care? Minimized: function foo() { var v = '{'; for (var i = 0; i < 20000; i++) { v += '"line\nbreak"oops'; } return v; } JSON.parse(foo()); // Output: # Compared x64,ignition with x64,ignition_turbo # # Flags of x64,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft # Flags of x64,ignition_turbo: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition-staging --turbo --validate-asm # # Difference: - undefined:1: SyntaxError: Unexpected token l in JSON at position 2 + undefined:1: SyntaxError: Unexpected token # # Source file: none # ### Start of configuration x64,ignition: undefined:1: SyntaxError: Unexpected token l in JSON at position 2 {"line ^ ### End of configuration x64,ignition # ### Start of configuration x64,ignition_turbo: undefined:1: SyntaxError: Unexpected token in JSON at position 6 {"line ^ ### End of configuration x64,ignition_turbo