CHECK failure: VerifySubRange<T>(buf, byte_offset, length) in TypedArrayBase.h via Blob constructor |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4677683373146112 Fuzzer: inferno_twister Job Type: mac_asan_chrome Platform Id: mac Crash Type: CHECK failure Crash Address: Crash State: VerifySubRange<T>(buf, byte_offset, length) in TypedArrayBase.h blink::DOMTypedArray<WTF::Int32Array, v8::Int32Array>::Create blink::V8Int32Array::toImpl Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=466662:466677 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4677683373146112 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 27 2017
Assigning to the reviewer tkent@ of the CL, could you please take a look?. https://codereview.chromium.org/2833123002 Thank you.
,
May 1 2017
> Suspecting Commit# > https://chromium.googlesource.com/chromium/src/+/177d44c2b478ca96d5cff47940509b578e4af697 It's a no-op change. Route to Blink>Storage triage because this is in Blob constructor. Note: I couldn't reproduce this on Google Chrome, but reproduced on content shell build with ASan.
,
May 1 2017
Coming through Blob constructor, but the stack is in bindings: generated V8Blob ctor -> sequence conversion -> union conversion -> Int32Array::Create -> WTF::TypedArrayBase<int>::Create() and CHECK is hit here: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/platform/wtf/typed_arrays/TypedArrayBase.h?l=91 The repro has an array size just shy of the maximum *signed* 32-bit int. I'd assume the byte_offset passed to VerifySubRange is 0 (since it's a new blob) and then the math is okay. Is ASAN monkeying with things?
,
May 8 2017
Looks to me like we're creating an Int32Array of slightly less than 2^31 32-bit integers, but the Blink-side logic uses |unsigned| (which is 32-bit) for byte length and offset. But the byte length requires at least 33 bits to properly represent.
,
May 8 2017
...given that, I think this is actually an issue principally in WTF's typed array code, and to a lesser extent, the DOM typed array code. yutak, mind taking a look or re-triaging from a wtf point of view? Probably just needs a bunch of unsigned->size_t changes where we're talking about bytes (and thus I don't think there's any guarantee about it fitting in 32-bits, even though the element indices do).
,
May 8 2017
,
Oct 9 2017
ClusterFuzz has detected this issue as fixed in range 507321:507330. Detailed report: https://clusterfuzz.com/testcase?key=4677683373146112 Fuzzer: inferno_twister Job Type: mac_asan_chrome Platform Id: mac Crash Type: CHECK failure Crash Address: Crash State: VerifySubRange<T>(buffer.Get(), byte_offset, length) in TypedArrayBase.h blink::DOMTypedArray<WTF::Int32Array, v8::Int32Array>::Create blink::V8Int32Array::ToImpl Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=466662:466677 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=507321:507330 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4677683373146112 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 9 2017
ClusterFuzz testcase 4677683373146112 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by msrchandra@chromium.org
, Apr 26 2017Labels: M-60 Needs-triage Test-Predator-Wrong