Direct-leak in v8::ShellArrayBufferAllocator::Allocate |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4837800097873920 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_turbo_dbg Platform Id: linux Crash Type: Direct-leak Crash Address: Crash State: v8::ShellArrayBufferAllocator::Allocate v8::internal::JSArrayBuffer::SetupAllocatingData v8::internal::Builtin_Impl_ArrayBufferConstructor_ConstructStub Sanitizer: address (ASAN) Regressed: V8: 42748:42749 Minimized Testcase (0.29 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97TO08a6jNeen4yp2AV_3C68wUMnutq0aNQO4ltCXmwr_0O3w_LPUSuoukcvLUv7hwJRjLgbrKTwj9XidVAwkEC490np05frzMXJtDkhCZMciFN-Un9jq4KUArFXlxcmYy3oGgb5IlfX48WKT0op-0AwiahZdi5471JaRTpOZMI9xBbRafOAc4usplGijtzPN7Mpsz4hF9Sh0NRKGU1YVA5KZIdc4d_wz0y4rHJQwbGyyhhSDG9OG7u2ECdoMKQopvWeF-Enyc4NYoviJSHMQTkNxZvF-F36CNPqdwIk3uyl_lt9iSfeJIJSJnSTacYR1LXO-xlSVbnggtkH-mIyjBPbnWSqFo7Y9dxTUS1ddKbs7LXwu0?testcase_id=4837800097873920 __v_1 = `postMessage('Starting worker'); onmessage = function() { switch (__v_2++) { } };`; function __f_1(byteLength) { var __v_3 = new ArrayBuffer(byteLength); return __v_3; } var __v_6 = new Worker(__v_1); var __v_8 = __f_1(32); __v_6.postMessage(__v_8, [__v_8]); Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 30 2017
Note that we have also new leaks on normal sanitizer bots: https://build.chromium.org/p/tryserver.v8/builders/v8_linux64_sanitizer_coverage_rel/builds/12031/steps/Check/logs/d8-worker
,
Jun 20 2017
Sorry to be so late on this, but I checked recently and was not able to repro. Is there a way to confirm this w/ bots?
,
Jun 20 2017
Clusterfuzz checks on this once per day, so the test case still reproduces. Did you try reproducing with the build clusterfuzz uses? I.g. Use the "Build" download link in the test case and also set all the env vars clusterfuzz sets. E.g.: [Environment] ASAN_OPTIONS = redzone=16:symbolize=0:detect_stack_use_after_return=1:alloc_dealloc_mismatch=0:detect_leaks=1:print_scariness=1:check_malloc_usable_size=0:max_uar_stack_size_log=16:use_sigaltstack=1:strict_memcmp=0:detect_container_overflow=1:coverage=0:detect_odr_violation=0:allocator_may_return_null=1:handle_segv=1:fast_unwind_on_fatal=1 [Environment] LSAN_OPTIONS = suppressions=/mnt/scratch0/clusterfuzz/scripts/suppressions/lsan_suppressions.txt:symbolize=1:external_symbolizer_path=/mnt/scratch0/clusterfuzz/scripts/linux/llvm-symbolizer You need to adjust some paths and I think you can skip the suppression file from clusteruzz for now. Unless there's something suppressed that masks your case. I think the key option you need is detect_leaks=1 in the ASAN_OPTIONS.
,
Jun 20 2017
I built an ASAN build locally and used the same environment options but it didn't trigger. I'll try the cluster-fuzz build instead.
,
Jun 20 2017
I was able to repro with the clusterfuzz build, but it is quite old (seems to be from the original bug). How can I find a newer build that reproduces the same error?
,
Jun 21 2017
A recent build: https://storage.cloud.google.com/v8-asan/linux-debug/d8-asan-linux-debug-v8-component-46076.zip For building yourself, here are the GN args for building: is_asan = true is_component_build = true is_debug = true is_lsan = true sanitizer_coverage_flags = "trace-pc-guard" target_cpu = "x64" use_goma = true v8_enable_backtrace = true v8_enable_slow_dchecks = true
,
Jun 21 2017
One thing I said seems not to be true. I don't think there's fixed-testing on this bug because the old job types have been tidied up. There's a change that this might be already fixed without clusterfuzz noticing. inferno,mbarbella: Is it possible to migrate such test cases to the new job type linux_asan_d8_dbg?
,
Jun 21 2017
I wasn't able to repro with the clusterfuzz build, and it looks like petermarshall@ wasn't either. So I'll close for now. |
||||
►
Sign in to add a comment |
||||
Comment 1 by machenb...@chromium.org
, Jan 30 2017Status: Assigned (was: Untriaged)