Direct-leak in InitializeModuleEmbedderData |
||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4673037258719232 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: Direct-leak Crash Address: Crash State: InitializeModuleEmbedderData v8::Shell::CreateRealm v8::internal::FunctionCallbackArguments::Call Sanitizer: address (ASAN) Regressed: V8: 44629:44630 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94fVvIChf030Wsrz2t5JrDfkXcUiLCeRg6dX7UEIkf3hnIpPtWzOFrLIv_qf8sPlxz6P4XJX6Xy9czNkxI98dDeLorGqzmDCxZX8vmoLn3f3msxM62u55vgu7uY4YGUDxse46BL59TcpiGADe0Ik9EAcHFAQTve8olZSkhhJleWvdz2Fk1hs_zAyyMoX9-w3-dc60cMTOnDbq55MtEla0ykl4vQCV7GCyBPIwZETi4Umq68LIkRYaLUntZfk10UdC07ZlKUerkvY04vDF6u76MBoIJtdK9CQWsnqxw0Q87lvntl4ryTg-ayXPMUCzOSrckdaej9PU8s6AOxUhYXXQsHLrsOMKlB-JAVGUbhQ_4oX6SH84A?testcase_id=4673037258719232 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/484d25d4dfb9f1376896b641581d4a5d0a69e074 commit 484d25d4dfb9f1376896b641581d4a5d0a69e074 Author: Sathya Gunasekaran <gsathya@chromium.org> Date: Thu Apr 13 21:52:28 2017 [d8] Fix leak in IntializeModuleEmbedderData If the current context is overwritten by doing Realm.navigate(0) we fail to delete the module embedder data from the correct current context, because we have an handle to the old context which was already cleaned up by calling DisposeRealm in RealmNavigate. This patch disallows navigation to the first realm. Bug: chromium:711165 Change-Id: I6b9d3187367dae9d1fe38c0efa361d461c94c917 Reviewed-on: https://chromium-review.googlesource.com/476970 Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#44656} [modify] https://crrev.com/484d25d4dfb9f1376896b641581d4a5d0a69e074/src/d8.cc [add] https://crrev.com/484d25d4dfb9f1376896b641581d4a5d0a69e074/test/mjsunit/regress/regress-711165.js
,
Apr 14 2017
ClusterFuzz has detected this issue as fixed in range 44655:44656. Detailed report: https://clusterfuzz.com/testcase?key=4673037258719232 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: Direct-leak Crash Address: Crash State: InitializeModuleEmbedderData v8::Shell::CreateRealm v8::internal::FunctionCallbackArguments::Call Sanitizer: address (ASAN) Regressed: V8: 44629:44630 Fixed: V8: 44655:44656 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94fVvIChf030Wsrz2t5JrDfkXcUiLCeRg6dX7UEIkf3hnIpPtWzOFrLIv_qf8sPlxz6P4XJX6Xy9czNkxI98dDeLorGqzmDCxZX8vmoLn3f3msxM62u55vgu7uY4YGUDxse46BL59TcpiGADe0Ik9EAcHFAQTve8olZSkhhJleWvdz2Fk1hs_zAyyMoX9-w3-dc60cMTOnDbq55MtEla0ykl4vQCV7GCyBPIwZETi4Umq68LIkRYaLUntZfk10UdC07ZlKUerkvY04vDF6u76MBoIJtdK9CQWsnqxw0Q87lvntl4ryTg-ayXPMUCzOSrckdaej9PU8s6AOxUhYXXQsHLrsOMKlB-JAVGUbhQ_4oX6SH84A?testcase_id=4673037258719232 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 14 2017
ClusterFuzz testcase 4673037258719232 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||
►
Sign in to add a comment |
||
Comment 1 by mstarzinger@chromium.org
, Apr 13 2017Owner: gsat...@chromium.org
Status: Assigned (was: Untriaged)