New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 700678 link

Starred by 4 users
Status: Fixed
Owner:
mstarzinger@chromium.org
Closed: Mar 2017
Cc:
bmeu...@chromium.org
cbruni@chromium.org
rossberg@chromium.org
ishell@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

V8 correctness failure in configs: x64,ignition:x64,ignition_turbo_opt

Project Member Reported by ClusterFuzz, Mar 11 2017

Comment 1 by machenb...@chromium.org, Mar 12 2017

Cc: bmeu...@chromium.org ishell@chromium.org mstarzinger@chromium.org
Status: Available (was: Untriaged)
// Interesting, seems to be very allocation sensitive. The repro requires all the fuzzer preamble JS files (found also in tools/foozzie), probably to get a certain number of allocations. Also only repros if the file names are passed using absolute paths. I can get it to differ by commenting in/out the first line. Use as repro.js:

// __PrettyPrint = 0
__v_6 = [];
__v_7 = {};
__v_8 = new Proxy({}, __v_7);
__v_7.get = function(t, trap) {
  return function() {
    __v_6.push([ ...arguments]);
    return Reflect[trap](...arguments);
  }
};
(function __f_6() {
  var __v_9 = [];
  var __v_10 = new Proxy(__v_9, __v_8);
  __v_9[15] = true;
  Object.preventExtensions(__v_9);
  print(Object.isFrozen(__v_10));
  print(__v_6[2]);
  __v_6.length = 0;
  gc();
  print(Object.isFrozen(__v_10));
})();

// Cmd line:
d8 --expose-gc --random-seed -156596008 --ignition-staging --turbo --always-opt /home/machenbach/Downloads/d8-linux-release-v8-component-43600/v8_mock.js /home/machenbach/Downloads/d8-linux-release-v8-component-43600/v8_suppressions.js /home/machenbach/Downloads/repro.js


// Output with repro as is:
false
,,,,,,,,,,,,,,,true,15
/home/machenbach/Downloads/repro.js:20: TypeError: 'ownKeys' on proxy: trap result did not include '15'
  print(Object.isFrozen(__v_10));


// Output with first line commented in:
false
,,,,,,,,,,,,,,,true,15
false

Comment 2 by machenb...@chromium.org, Mar 13 2017

Cc: rossberg@chromium.org
+clusterfuzz sheriff, please help triaging.

Comment 3 by mstarzinger@chromium.org, Mar 13 2017

Cc: -mstarzinger@chromium.org cbruni@chromium.org
Owner: mstarzinger@chromium.org
Status: Assigned (was: Available)
Underlying issues is KeyAccumulator::CollectOwnJSProxyKeys using an identity map on non-internalized strings. I will cook up a fix. Simplified repro ...

function ownKeys(x) {
  return ["23", "length"];
}

(function testNonConfigurable() {
  var target = [];
  var proxy = new Proxy(target, {ownKeys:ownKeys});
  Object.defineProperty(target, "23", {value:true});
  print(Object.getOwnPropertyNames(proxy));
})();

(function testPreventExtension() {
  var target = [];
  var proxy = new Proxy(target, {ownKeys:ownKeys});
  target[23] = true;
  Object.preventExtensions(target);
  print(Object.getOwnPropertyNames(proxy));
})();
Project Member

Comment 4 by bugdroid1@chromium.org, Mar 14 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/3b597bb7014f99f4278adc89755fe132fedf2846

commit 3b597bb7014f99f4278adc89755fe132fedf2846
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Tue Mar 14 11:19:28 2017

[runtime] Fix KeyAccumulator for non-internalized keys.

This fixes a corner-case in {KeyAccumulator::CollectOwnJSProxyKeys}
where the keys returned by {JSReceiver::OwnPropertyKeys} for an array
are not internalized and hence have a diverging identity from keys
returned by the "ownKeys" trap of a proxy.

R=cbruni@chromium.org
TEST=mjsunit/regress/regress-crbug-700678
BUG= chromium:700678 

Change-Id: I5efd012eade14bd45c69e4abb0aeda684baf38f0
Reviewed-on: https://chromium-review.googlesource.com/452979
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43775}
[modify] https://crrev.com/3b597bb7014f99f4278adc89755fe132fedf2846/src/keys.cc
[add] https://crrev.com/3b597bb7014f99f4278adc89755fe132fedf2846/test/mjsunit/regress/regress-crbug-700678.js

Comment 5 by mstarzinger@chromium.org, Mar 14 2017

Status: Fixed (was: Assigned)
Project Member

Comment 6 by ClusterFuzz, Mar 15 2017 

ClusterFuzz has detected this issue as fixed in range 43774:43775.

Detailed report: https://clusterfuzz.com/testcase?key=6228351107989504

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo_opt
  sources: 661
  
Sanitizer: address (ASAN)

Regressed: V8: 43348:43349
Fixed: V8: 43774:43775

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94yBDLzmNWr28XrJMZoQMjv-P5GYWPZ9GNwRibzNPaGWJYJZrReHFEOyISFecXRrT9HwmgGgELHgvr-7fMQWqYmDvmFcgd8_Rxy-SH-CEuuup-WMGQSIItPo8u7gTN3gsw34weZpNS9UIdMF-7NZVUKFcw8Cg8RhjOHqTAmjFItl21xJT2rYGzE9uCW09vSkWi5pRAaGgc332uGXkz7WWVynpVPsXbO7drnr-KjG42vXsYHrbrtvgr0uN4XqQMLgfdbBS0wC6SDZoja5GNMcRQ5lLhXvnzxXFiy8-E74DgCfRXtTfrBvHAcAODQ5zAw9nkR2SHYVQqmek8Cr6wT3BVKKz5-Qsbe5_YwDF69yuFcJpkxeFk?testcase_id=6228351107989504


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment