New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 707364 link

Starred by 1 user
Status: Fixed
Owner:
petermarshall@chromium.org
OOO until 2019-02-10
Closed: Apr 2017
Cc:
petermarshall@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug-Regression



Sign in to add a comment

crypto/subtle/neuter-encrypt-data-during-normalization.html fails on ASAN

Project Member Reported by caseq@chromium.org, Mar 31 2017 
First failure: https://build.chromium.org/p/chromium.webkit/builders/WebKit%20Linux%20Trusty%20ASAN/builds/1688

This includes v8 roll: https://chromium.googlesource.com/v8/v8/+log/8a227fac..ce02252c

Details:
09:31:49.219 32294 worker/5 crypto/subtle/neuter-encrypt-data-during-normalization.html crashed, (stderr lines):
09:31:49.219 32294   =================================================================
09:31:49.219 32294   ==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000232760 at pc 0x0000004d6e45 bp 0x7ffe912eea70 sp 0x7ffe912ee220
09:31:49.219 32294   READ of size 64 at 0x606000232760 thread T0 (content_shell)
09:31:49.219 32294       #0 0x4d6e44 in __asan_memcpy ??:0:0
09:31:49.219 32294       #1 0x136e4ad in v8::internal::libc_memcpy(void*, void const*, unsigned long) v8/src/assembler.cc:1549:10
09:31:49.219 32294       #2 0x7f30ece3d3d3  (<unknown module>)
09:31:49.219 32294       #3 0x7f30ece90f65  (<unknown module>)
09:31:49.219 32294       #4 0x7f30ece5437b  (<unknown module>)
09:31:49.219 32294       #5 0x7f30ece90549  (<unknown module>)
09:31:49.219 32294       #6 0x7f30ece5437b  (<unknown module>)
09:31:49.219 32294       #7 0x7f30ecd85a7a  (<unknown module>)
09:31:49.219 32294       #8 0x7f30ecd8548a  (<unknown module>)
09:31:49.219 32294       #9 0x7f30ece9178d  (<unknown module>)
09:31:49.219 32294       #10 0x7f30ece5437b  (<unknown module>)
09:31:49.219 32294       #11 0x7f30ece9041b  (<unknown module>)
09:31:49.219 32294       #12 0x7f30ece5437b  (<unknown module>)
09:31:49.219 32294       #13 0x7f30ece8fd67  (<unknown module>)
09:31:49.219 32294       #14 0x7f30ece5437b  (<unknown module>)
09:31:49.219 32294       #15 0x7f30ece1e187  (<unknown module>)
09:31:49.219 32294       #16 0x7f30ece53638  (<unknown module>)
09:31:49.219 32294       #17 0x7f30ecdabcec  (<unknown module>)
09:31:49.220 32294       #2 0x1e4c4af in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling) v8/src/execution.cc:145:13
09:31:49.220 32294       #3 0x1e4ccbc in CallInternal v8/src/execution.cc:181:10
09:31:49.220 32294       #4 0x1e4ccbc in v8::internal::Execution::TryCall(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Execution::MessageHandling, v8::internal::MaybeHandle<v8::internal::Object>*) v8/src/execution.cc:233:0
09:31:49.220 32294       #5 0x217d5dc in v8::internal::Isolate::PromiseReactionJob(v8::internal::Handle<v8::internal::PromiseReactionJobInfo>, v8::internal::MaybeHandle<v8::internal::Object>*, v8::internal::MaybeHandle<v8::internal::Object>*) v8/src/isolate.cc:3410:15
09:31:49.220 32294       #6 0x217fd3a in v8::internal::Isolate::RunMicrotasksInternal() v8/src/isolate.cc:3482:5
09:31:49.220 32294       #7 0x217c73d in v8::internal::Isolate::RunMicrotasks() v8/src/isolate.cc:3463:3
09:31:49.220 32294
09:31:49.220 32294   0x606000232760 is located 0 bytes inside of 64-byte region [0x606000232760,0x6060002327a0)
09:31:49.220 32294   freed by thread T0 (content_shell) here:
09:31:49.220 32294       #0 0x4ecee2 in __interceptor_free ??:0:0
09:31:49.220 32294       #1 0xd38cdef in reset buildtools/third_party/libc++/trunk/include/memory:2735:13
09:31:49.220 32294       #2 0xd38cdef in ~DataHolder third_party/WebKit/Source/platform/wtf/typed_arrays/ArrayBufferContents.cpp:147:0
09:31:49.220 32294       #3 0xd38cdef in deref third_party/WebKit/Source/platform/wtf/ThreadSafeRefCounted.h:75:0
09:31:49.220 32294       #4 0xd38cdef in derefIfNotNull<WTF::ArrayBufferContents::DataHolder> third_party/WebKit/Source/platform/wtf/PassRefPtr.h:64:0
09:31:49.220 32294       #5 0xd38cdef in ~RefPtr third_party/WebKit/Source/platform/wtf/RefPtr.h:70:0
09:31:49.221 32294       #6 0xd38cdef in WTF::ArrayBufferContents::~ArrayBufferContents() third_party/WebKit/Source/platform/wtf/typed_arrays/ArrayBufferContents.cpp:86:0
09:31:49.221 32294       #7 0x7f60b11 in destruct third_party/WebKit/Source/platform/wtf/Vector.h:86:13
09:31:49.221 32294       #8 0x7f60b11 in destruct third_party/WebKit/Source/platform/wtf/Vector.h:302:0
09:31:49.221 32294       #9 0x7f60b11 in finalize third_party/WebKit/Source/platform/wtf/Vector.h:1220:0
09:31:49.221 32294       #10 0x7f60b11 in ~ConditionalDestructor third_party/WebKit/Source/platform/wtf/ConditionalDestructor.h:20:0
09:31:49.221 32294       #11 0x7f60b11 in operator() buildtools/third_party/libc++/trunk/include/memory:2529:0
09:31:49.221 32294       #12 0x7f60b11 in reset buildtools/third_party/libc++/trunk/include/memory:2735:0
09:31:49.221 32294       #13 0x7f60b11 in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2703:0
09:31:49.221 32294       #14 0x7f60b11 in blink::SerializedScriptValue::~SerializedScriptValue() third_party/WebKit/Source/bindings/core/v8/SerializedScriptValue.cpp:134:0
09:31:49.221 32294       #15 0xd767222 in deref third_party/WebKit/Source/platform/wtf/ThreadSafeRefCounted.h:75:7
09:31:49.221 32294       #16 0xd767222 in derefIfNotNull<blink::SerializedScriptValue> third_party/WebKit/Source/platform/wtf/PassRefPtr.h:64:0
09:31:49.221 32294       #17 0xd767222 in ~RefPtr third_party/WebKit/Source/platform/wtf/RefPtr.h:70:0
09:31:49.221 32294       #18 0xd767222 in blink::V8Window::postMessageMethodCustom(v8::FunctionCallbackInfo<v8::Value> const&) third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp:292:0
09:31:49.221 32294       #19 0x1238063 in v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) v8/src/api-arguments.cc:25:3
09:31:49.221 32294       #20 0x142d800 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) v8/src/builtins/builtins-api.cc:111:36
09:31:49.221 32294       #21 0x142ac5c in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:140:5
09:31:49.222 32294

09:31:49.222 32294   previously allocated by thread T0 (content_shell) here:
09:31:49.222 32294       #0 0x4ed213 in __interceptor_malloc ??:0:0
09:31:49.222 32294       #1 0xd38db34 in PartitionAllocGenericFlags base/allocator/partition_allocator/partition_alloc.h:786:18
09:31:49.222 32294       #2 0xd38db34 in allocateMemoryWithFlags third_party/WebKit/Source/platform/wtf/typed_arrays/ArrayBufferContents.cpp:113:0
09:31:49.222 32294       #3 0xd38db34 in WTF::ArrayBufferContents::allocateMemoryOrNull(unsigned long, WTF::ArrayBufferContents::InitializationPolicy) third_party/WebKit/Source/platform/wtf/typed_arrays/ArrayBufferContents.cpp:123:0
09:31:49.222 32294       #4 0x2325462 in v8::internal::JSTypedArray::MaterializeArrayBuffer(v8::internal::Handle<v8::internal::JSTypedArray>) v8/src/objects.cc:19507:42
09:31:49.222 32294       #5 0x81046c3 in blink::V8Uint8Array::toImpl(v8::Local<v8::Object>) /b/c/b/linux_layout/src/out/Release/gen/blink/bindings/core/v8/V8Uint8Array.cpp:56:47
09:31:49.222 32294       #6 0x8010bea in blink::V8ArrayBufferView::toImpl(v8::Local<v8::Object>) /b/c/b/linux_layout/src/out/Release/gen/blink/bindings/core/v8/V8ArrayBufferView.cpp:80:12
09:31:49.222 32294       #7 0x8679539 in blink::V8ArrayBufferOrArrayBufferView::toImpl(v8::Isolate*, v8::Local<v8::Value>, blink::ArrayBufferOrArrayBufferView&, blink::UnionTypeConversionMode, blink::ExceptionState&) /b/c/b/linux_layout/src/out/Release/gen/blink/bindings/core/v8/ArrayBufferOrArrayBufferView.cpp:80:36
09:31:49.222 32294       #8 0xa94e582 in encryptMethod /b/c/b/linux_layout/src/out/Release/gen/blink/bindings/modules/v8/V8SubtleCrypto.cpp:97:3
09:31:49.222 32294       #9 0xa94e582 in blink::V8SubtleCrypto::encryptMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) /b/c/b/linux_layout/src/out/Release/gen/blink/bindings/modules/v8/V8SubtleCrypto.cpp:594:0
09:31:49.222 32294       #10 0x1238063 in v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) v8/src/api-arguments.cc:25:3
09:31:49.222 32294       #11 0x142d800 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) v8/src/builtins/builtins-api.cc:111:36
09:31:49.222 32294       #12 0x142ac5c in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:140:5

Comment 1 by eroman@chromium.org, Mar 31 2017

Labels: -Type-Bug -Pri-3 Pri-2 Type-Bug-Regression
Owner: petermarshall@chromium.org
Status: Assigned (was: Untriaged)
Peter, could you take a look?

Seems related to your changes to TypedArrays in that v8 roll.

Thanks!

Comment 2 by petermarshall@chromium.org, Apr 3 2017

Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Apr 3 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c5ad59f4d4afdd849bcb4fe74894e18cdafd27de

commit c5ad59f4d4afdd849bcb4fe74894e18cdafd27de
Author: Peter Marshall <petermarshall@chromium.org>
Date: Mon Apr 03 12:45:22 2017

[builtins] Use length field in TypedArrayConstructByArrayLike.

The byte_length field of the TypedArray is not set to 0 on neutering,
but JSArrayBufferView::byte_length() returns 0 if WasNeutered() is
true. We should use the length property here instead.

We can just short-circuit if the length is 0. Added checks to the
memcpy path that assert length and neutered status are sane.

Bug: chromium:707472 , chromium:707595 , chromium:707364 , chromium:707410 

Change-Id: Ia1dec53f175357673012cbbc5e2fc40207e03623
Reviewed-on: https://chromium-review.googlesource.com/465987
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44336}
[modify] https://crrev.com/c5ad59f4d4afdd849bcb4fe74894e18cdafd27de/src/builtins/builtins-typedarray-gen.cc
[add] https://crrev.com/c5ad59f4d4afdd849bcb4fe74894e18cdafd27de/test/mjsunit/regress-707410.js

Comment 4 by petermarshall@chromium.org, Apr 4 2017

Status: Fixed (was: Started)
Looks green again with that fix.

Sign in to add a comment