Issue metadata
Sign in to add a comment
|
Heap-use-after-free in v8_inspector::V8InspectorSessionImpl::breakProgram |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6554489390891008 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x6120001ed930 Crash State: v8_inspector::V8InspectorSessionImpl::breakProgram blink::InspectorDOMDebuggerAgent::PauseOnNativeEventIfNeeded blink::InspectorDOMDebuggerAgent::BreakableLocation Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=464021:464058 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6554489390891008 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 25 2017
Suspecting https://codereview.chromium.org/2816543002 in the regression range. adithyas: Can you please take a look or reassign? Thanks.
,
Apr 25 2017
,
Apr 25 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2017
,
Apr 25 2017
https://codereview.chromium.org/2816543002 was just a method rename, and there was no real functionality change, so I don't think it caused the issue here.
,
Apr 25 2017
A friendly reminder that M59 Beta launch is coming soon! Your bug is labelled as Release Block Beta. All fixes need to be merged into the release branch (3071) latest by tomorrow, 04/26 4:00 PM PT in order to make into the desktop Beta final build cut. Thank you!
,
Apr 25 2017
I'm able to reproduce this on linux-asan for commits well before the regression range (earliest I've tried is this one: https://chromium.googlesource.com/chromium/src/+/939b32ee5ba05c396eef3fd992822fcca9a2e262). kozyatinskiy@: I'm not really sure what the cause of this issue is, but it appears to be inspector related. Could you take a look?
,
Apr 25 2017
,
Apr 26 2017
fix landed into v8: https://codereview.chromium.org/2842903002/
,
Apr 26 2017
,
Apr 26 2017
,
Apr 26 2017
,
Apr 26 2017
,
Apr 26 2017
,
Apr 26 2017
,
Apr 27 2017
ClusterFuzz has detected this issue as fixed in range 467481:467537. Detailed report: https://clusterfuzz.com/testcase?key=6554489390891008 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x6120001ed930 Crash State: v8_inspector::V8InspectorSessionImpl::breakProgram blink::InspectorDOMDebuggerAgent::PauseOnNativeEventIfNeeded blink::InspectorDOMDebuggerAgent::BreakableLocation Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=464021:464058 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=467481:467537 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6554489390891008 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 27 2017
,
Apr 27 2017
,
May 1 2017
,
May 2 2017
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 8 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 9 2017
If this is ready for merge, can you please merge this to M59 3071 ASAP?
,
May 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/ffd34666761c897e0e5c01dbabf9ad193edba6d8 commit ffd34666761c897e0e5c01dbabf9ad193edba6d8 Author: Alexey Kozyatinskiy <kozyatinskiy@chromium.org> Date: Wed May 10 17:35:04 2017 Merged: [inspector] improved V8Debugger::breakProgram method Revision: 835b71e8cb388a05040200da4ce704082a6d5ce5 BUG= chromium:714819 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=kozyatinskiy@chromium.org Change-Id: I4850e692cf5dd09c6dd8f5c9a1328c4d2a06999a Reviewed-on: https://chromium-review.googlesource.com/502008 Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Cr-Commit-Position: refs/branch-heads/5.9@{#43} Cr-Branched-From: fe9bb7e6e251159852770160cfb21dad3cf03523-refs/heads/5.9.211@{#1} Cr-Branched-From: 70ad23791a21c0dd7ecef8d4d8dd30ff6fc291f6-refs/heads/master@{#44591} [modify] https://crrev.com/ffd34666761c897e0e5c01dbabf9ad193edba6d8/src/inspector/v8-debugger-agent-impl.cc [modify] https://crrev.com/ffd34666761c897e0e5c01dbabf9ad193edba6d8/src/inspector/v8-debugger.cc [modify] https://crrev.com/ffd34666761c897e0e5c01dbabf9ad193edba6d8/src/inspector/v8-debugger.h [modify] https://crrev.com/ffd34666761c897e0e5c01dbabf9ad193edba6d8/test/inspector/inspector-impl.cc [modify] https://crrev.com/ffd34666761c897e0e5c01dbabf9ad193edba6d8/test/inspector/inspector-impl.h [modify] https://crrev.com/ffd34666761c897e0e5c01dbabf9ad193edba6d8/test/inspector/inspector-test.cc [modify] https://crrev.com/ffd34666761c897e0e5c01dbabf9ad193edba6d8/test/inspector/protocol-test.js
,
May 10 2017
,
May 10 2017
,
Aug 3 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by erikc...@chromium.org
, Apr 24 2017