V8 correctness failure in configs: x64,ignition:arm,ignition |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5427600752377856 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:arm,ignition sources: 9ef Sanitizer: address (ASAN) Regressed: V8: 43152:43153 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94JWdldF2fTz-9tYvRfAXoDhn6heP3eRFHKqxKHgB-RPYqm8BWSRfAhtB73ELc14Ok1WY0JlC52BhFDm9WeclBRccmx3qdVEEtcY39tqHa42Ei46ioaHIT_PyExM6VBJFP8JJV3TwSPDdHCXBBA4BXtWlmu6L6VJaawFjSci3xa9R2F2bh5INInHywcNZr6NplBuoX7Ci985IX29T7qBtOsTFovCctZKNCpFa0iy9V-8xi8r_IqYGZJMSgxMYV6vm27x46D3PGRD31qEXn40vZEqNjsTwrfF7pSCYj-3ojAyehRZ0TC1zIu2C_uec9BZ5JzsFkubp2NbSrv3VbFT_rn3dfUDDsYGpCvkJA02TTdqeXBrKy9U4W6FxPnlwC-4eJCVvDi7N78v0M8p66E07fTT3iHhw?testcase_id=5427600752377856 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 13 2017
An architecture independent way to reproduce this is:
var thrower = { [Symbol.toPrimitive] : function() { throw "I was called!" } };
var heap_number = 4.2;
var smi_number = 23;
assertThrows(() => heap_number.hasOwnProperty(thrower));
assertThrows(() => smi_number.hasOwnProperty(thrower));
,
Apr 13 2017
This was introduced by bc8f9a78f05c7a9dce0a112835d797d8082749eb. The problem is the fast case in {Generate_ObjectHasOwnProperty} documented with "Smi receivers do not have own properties" which skips the observable side-effect of converting the property name to a primitive.
,
May 16 2017
ClusterFuzz has detected this issue as fixed in range 45316:45317. Detailed report: https://clusterfuzz.com/testcase?key=5427600752377856 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:arm,ignition sources: 9ef Sanitizer: address (ASAN) Regressed: V8: 43152:43153 Fixed: V8: 45316:45317 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5427600752377856 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 16 2017
ClusterFuzz testcase 5427600752377856 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
May 16 2017
,
Jun 8 2017
,
Jun 8 2017
,
Jun 9 2017
ClusterFuzz has detected this issue as fixed in range 45789:45790. Detailed report: https://clusterfuzz.com/testcase?key=5427600752377856 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:arm,ignition sources: 9ef Sanitizer: address (ASAN) Regressed: V8: 43152:43153 Fixed: V8: 45789:45790 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5427600752377856 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/bada4ecc51f61a7287a4e8ddfe5a6a3d6ca3f48f commit bada4ecc51f61a7287a4e8ddfe5a6a3d6ca3f48f Author: Adam Klein <adamk@chromium.org> Date: Fri Jul 07 15:21:14 2017 Merged: Squashed multiple commits. Merged: [builtins] Make sure to perform ToPrimitive(key, hint string) in hasOwnProperty even if the receiver is a smi. Revision: fe048410f86f596bd72c0fc456be6021abaa3974 Merged: Fix HasOwnProperty stub for interceptors Revision: 347e6215c5246ac0347b6fa9a8d0081d164ad1b3 TBR=cbruni@chromium.org BUG= chromium:707580 , chromium:735990 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true Change-Id: Ic0c068fbea8e5a3e8c00aba0da3299d9d180dcb6 Reviewed-on: https://chromium-review.googlesource.com/563540 Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/branch-heads/6.0@{#57} Cr-Branched-From: 97dbf624a5eeffb3a8df36d24cdb2a883137385f-refs/heads/6.0.286@{#1} Cr-Branched-From: 12e6f1cb5cd9616da7b9d4a7655c088778a6d415-refs/heads/master@{#45439} [modify] https://crrev.com/bada4ecc51f61a7287a4e8ddfe5a6a3d6ca3f48f/src/builtins/builtins-object-gen.cc [modify] https://crrev.com/bada4ecc51f61a7287a4e8ddfe5a6a3d6ca3f48f/test/cctest/test-api.cc [add] https://crrev.com/bada4ecc51f61a7287a4e8ddfe5a6a3d6ca3f48f/test/mjsunit/regress/regress-crbug-707580.js
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by machenb...@chromium.org
, Apr 3 2017Status: Available (was: Untriaged)
// PTAL (32 vs 64 bits). Repro: y = {}; y[Symbol.toPrimitive] = function() { boom; }; x = -1073741825; x.hasOwnProperty(y); // Output: # Compared x64,ignition with ia32,ignition # # Flags of x64,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo-filter=~ --hydrogen-filter=~ --nocrankshaft # Flags of ia32,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo-filter=~ --hydrogen-filter=~ --nocrankshaft # # Difference: + ./repro.js:3: ReferenceError: boom is not defined # ### Start of configuration x64,ignition: ### End of configuration x64,ignition # ### Start of configuration ia32,ignition: ./repro.js:3: ReferenceError: boom is not defined y[Symbol.toPrimitive] = function() { boom; }; ^ ### End of configuration ia32,ignition