New issue
Advanced search Search tips

Issue 697017 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

!v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()) in objects-i

Project Member Reported by ClusterFuzz, Feb 28 2017

Issue description

Comment 1 by titzer@chromium.org, Feb 28 2017

Cc: titzer@chromium.org
Owner: ishell@chromium.org
Status: Assigned (was: Untriaged)
This reproduces on the build that is downloadable from the clusterfuzz issue, but only with the --enable-slow-asserts flag. The testcase can be further reduced:

for (var i = 0; i < 100; i++) {
  print(i);
  (Int32Array)["abc" + i] = i;
}

This crashes on iteration 14 for me:
0
1
2
3
4
5
6
7
8
9
10
11
12
13


#
# Fatal error in ../../src/objects-inl.h, line 644
# Check failed: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()).
#

==== C stack trace ===============================

    ./d8(backtrace+0x5c) [0xf71daa4c]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x38) [0xf270e088]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8_libbase.so(V8_Fatal+0x20e) [0xf26ff13e]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(+0x5779f7) [0xf2c999f7]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(v8::internal::Map::TransitionToDataProperty(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::PropertyConstness, v8::internal::Object::StoreFromKeyed)+0x1676) [0xf50c4496]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(v8::internal::LookupIterator::PrepareTransitionToDataProperty(v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::Object::StoreFromKeyed)+0xc2b) [0xf4dfa7cb]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(v8::internal::Object::AddDataProperty(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::PropertyAttributes, v8::internal::Object::ShouldThrow, v8::internal::Object::StoreFromKeyed)+0xd6e) [0xf500057e]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(v8::internal::Object::SetProperty(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode, v8::internal::Object::StoreFromKeyed)+0x4f2) [0xf4ff8122]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(v8::internal::Runtime::SetObjectProperty(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode)+0x351) [0xf592f9e1]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(+0x32244f7) [0xf59464f7]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(v8::internal::Runtime_SetProperty(int, v8::internal::Object**, v8::internal::Isolate*)+0x1f2) [0xf59453c2]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(v8::internal::Simulator::SoftwareInterrupt()+0x11b8) [0xf622bcd8]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(v8::internal::Simulator::DecodeTypeRegisterSPECIAL()+0x3b2c) [0xf6247cac]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(v8::internal::Simulator::DecodeTypeRegister()+0xd6) [0xf624ee76]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(v8::internal::Simulator::InstructionDecode(v8::internal::Instruction*)+0x7a9) [0xf6223509]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(v8::internal::Simulator::CallInternal(unsigned char*)+0x59b) [0xf625893b]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(v8::internal::Simulator::Call(unsigned char*, int, ...)+0x350) [0xf6259ea0]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(+0x1e79a02) [0xf459ba02]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(+0x1e7781a) [0xf459981a]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*)+0x143) [0xf4599033]
    /tmp/clusterfuzz/d8-mipsel-asan-linux-debug-v8-component-43452/./libv8.so(v8::Script::Run(v8::Local<v8::Context>)+0x704) [0xf2ceaa84]
    ./d8(v8::Shell::ExecuteString(v8::Isolate*, v8::Local<v8::String>, v8::Local<v8::Value>, bool, bool)+0x33d) [0xf726ae1d]
    ./d8(v8::SourceGroup::Execute(v8::Isolate*)+0x727) [0xf72910b7]
    ./d8(v8::Shell::RunMain(v8::Isolate*, int, char**, bool)+0x5c0) [0xf729a740]
    ./d8(v8::Shell::Main(int, char**)+0x283e) [0xf729ffbe]
    ./d8(main+0x38) [0xf72b1b28]
    /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0xf0e05af3]
    ./d8(+0x2a221) [0xf718a221]
Received signal 4 ILL_ILLOPN 0000f2709fdc
Illegal instruction (core dumped)


Comment 2 by titzer@chromium.org, Feb 28 2017

Labels: -Pri-1 Pri-2
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 1 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e003d21d4a2e5cc13e3dd1e265c96d89e2c3f773

commit e003d21d4a2e5cc13e3dd1e265c96d89e2c3f773
Author: Igor Sheludko <ishell@chromium.org>
Date: Wed Mar 01 10:02:14 2017

[runtime] Properly handle null constructor case when feeding back normalization.

BUG= chromium:697017 

Change-Id: Ibb7165387a983987dcd04be330591b6bb70ff991
Reviewed-on: https://chromium-review.googlesource.com/448217
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43507}
[modify] https://crrev.com/e003d21d4a2e5cc13e3dd1e265c96d89e2c3f773/src/objects.cc
[add] https://crrev.com/e003d21d4a2e5cc13e3dd1e265c96d89e2c3f773/test/mjsunit/regress/regress-crbug-697017.js

Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Mar 1 2017

ClusterFuzz has detected this issue as fixed in range 43506:43507.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5448912690479104

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()) in objects-i
  
Sanitizer: address (ASAN)

Regressed: V8: 43451:43452
Fixed: V8: 43506:43507

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97-0W0H2i1fNABt1Au5BFsYt4z1t5q1V9F3ElGiqfk0p7SIcuy30eQHQsh0pW7gcZCPdvOX9ENk3CgH9QuygYHkHNfDP4WhVWO4GWVgUFOlvhxlntUaOrbJoDHxBkfmktLPxkz-5R3N27uwwen7HYDSGQdeLdepv4R-LCKPL8Nqpc1iQBd6RX6cLSTaYsmFaWItOQEUZG6m4CzjHHJSbwwhM77vfuwoVe56hA2s3HaLHNYKAKr7MZ7hSsWf6ju1oJJ7DJ_kqnwDGTqEnBiVu3mM4PmToqVpbKpXYAciyQx0J9ugC4ozAYft_G2D4w1dkuxAMfn-ex1Eqo4iqTf79NIiwnfmLyVhhWHk01mBU8f2xXWTXp0?testcase_id=5448912690479104


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Mar 1 2017

ClusterFuzz has detected this issue as fixed in range 43506:43507.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5448912690479104

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()) in objects-i
  
Sanitizer: address (ASAN)

Regressed: V8: 43451:43452
Fixed: V8: 43506:43507

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97-0W0H2i1fNABt1Au5BFsYt4z1t5q1V9F3ElGiqfk0p7SIcuy30eQHQsh0pW7gcZCPdvOX9ENk3CgH9QuygYHkHNfDP4WhVWO4GWVgUFOlvhxlntUaOrbJoDHxBkfmktLPxkz-5R3N27uwwen7HYDSGQdeLdepv4R-LCKPL8Nqpc1iQBd6RX6cLSTaYsmFaWItOQEUZG6m4CzjHHJSbwwhM77vfuwoVe56hA2s3HaLHNYKAKr7MZ7hSsWf6ju1oJJ7DJ_kqnwDGTqEnBiVu3mM4PmToqVpbKpXYAciyQx0J9ugC4ozAYft_G2D4w1dkuxAMfn-ex1Eqo4iqTf79NIiwnfmLyVhhWHk01mBU8f2xXWTXp0?testcase_id=5448912690479104


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment