This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

A friendly reminder that M59 Beta  launch is coming soon! Your bug is labelled as Release Block Beta. All fixes need to be merged into the release branch (3071) latest by tomorrow, 04/26 4:00 PM PT in order to make into the desktop Beta final build cut. Thank you!

applying the right labels for v8 cf sherrifs

Sec sev medium != RB-Beta.

Michael, as V8 CF Sheriff, could you please help to triage this?

Hi clemensh - I believe you're the current V8 Clusterfuzz sheriff - are you able to take a look at this?

Sorry for the delay. I will have a look tomorrow.

I am able to reproduce the crash locally on several versions from April 7 to now. Still trying to find a "good" revision to start the bisect.
Compilation takes a while...

OK, it's the V8 roll to version 5.9.51 that introduced this crash. That was on March 16.
Bisecting further inside the V8 CLs.

Bisect nicely isolated this CL: 336d6e429cabbdf5f0f38637c9df1bf5c56acd55.

Toon, please take a look.

Oh, and the failing check in debug/optdebug builds is this:

#
# Fatal error in ../../v8/src/ic/ic.cc, line 1403
# Check failed: !holder->IsJSGlobalObject().
#

#0 0x7fc0c88e4e9b base::debug::StackTrace::StackTrace()
#1 0x7fc0c88e352c base::debug::StackTrace::StackTrace()
#2 0x7fc0c88e49af base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7fc0c8d69330 <unknown>
#4 0x7fc0b0db45b2 v8::base::OS::Abort()
#5 0x7fc0b9d00539 v8::internal::LoadIC::GetMapIndependentHandler()
#6 0x7fc0b9cfeb60 v8::internal::IC::ComputeHandler()
#7 0x7fc0b9cfc3aa v8::internal::LoadIC::UpdateCaches()
#8 0x7fc0b9cfba26 v8::internal::LoadIC::Load()
#9 0x7fc0b9d074c1 v8::internal::__RT_impl_Runtime_LoadIC_Miss()
#10 0x1892d3c84264 <unknown>

The problem is that someone is leaking the global object into JS, which shouldn't happen. This sounds like a bug in pdfium.

I'm adding support for this leaky case to avoid the crash in https://chromium-review.googlesource.com/c/496148/.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/53e824d619092c1d5224650f1c8506296d08e8ed

commit 53e824d619092c1d5224650f1c8506296d08e8ed
Author: Toon Verwaest <verwaest@chromium.org>
Date: Thu May 04 16:13:28 2017

[ic] Don't crash if the global object leaks into the ICs

Bug:  chromium:714580 
Change-Id: I8969fb83c6c29eccb29fc1b4a9a35d7abb0ba0d6
Reviewed-on: https://chromium-review.googlesource.com/496148
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45102}
[modify] https://crrev.com/53e824d619092c1d5224650f1c8506296d08e8ed/src/counters.h
[modify] https://crrev.com/53e824d619092c1d5224650f1c8506296d08e8ed/src/ic/ic.cc

ClusterFuzz has detected this issue as fixed in range 469616:469624.

Detailed report: https://clusterfuzz.com/testcase?key=4594741179318272

Fuzzer: ifratric_acrojs
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000194a80080
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=463944:463968
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=469616:469624

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4594741179318272


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Please merge your change to M59 branch 3071 by 4:00 PM PT, Monday (05/15) so we can take it in for next week beta release. Thank you.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/606d87636cc9e958d73da3f9b2b9ce89fd96f187

commit 606d87636cc9e958d73da3f9b2b9ce89fd96f187
Author: ishell@chromium.org <ishell@chromium.org>
Date: Mon May 15 15:23:27 2017

Merged: [ic] Don't crash if the global object leaks into the ICs

Revision: 53e824d619092c1d5224650f1c8506296d08e8ed

NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=cbruni@chromium.org

Bug:  chromium:714580 
Change-Id: I0113e0ccedd9261b4d1f96af24895e19a3b0b98b
Reviewed-on: https://chromium-review.googlesource.com/506091
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/branch-heads/5.9@{#51}
Cr-Branched-From: fe9bb7e6e251159852770160cfb21dad3cf03523-refs/heads/5.9.211@{#1}
Cr-Branched-From: 70ad23791a21c0dd7ecef8d4d8dd30ff6fc291f6-refs/heads/master@{#44591}
[modify] https://crrev.com/606d87636cc9e958d73da3f9b2b9ce89fd96f187/src/counters.h
[modify] https://crrev.com/606d87636cc9e958d73da3f9b2b9ce89fd96f187/src/ic/ic.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot