New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 717022 link

Starred by 1 user
Status: Fixed
Owner:
petermarshall@chromium.org
OOO until 2019-02-10
Closed: May 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: source->buffer() != destination->buffer() in elements.cc

Project Member Reported by ClusterFuzz, May 1 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6373627317714944

Fuzzer: mbarbella_js_mutation
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  source->buffer() != destination->buffer() in elements.cc
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=467620:467639

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6373627317714944


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by danno@chromium.org, May 2 2017

Owner: petermarshall@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by petermarshall@chromium.org, May 2 2017

Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, May 2 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/0d582ada5135b4070a9e154e373deb5d6c19f380

commit 0d582ada5135b4070a9e154e373deb5d6c19f380
Author: Peter Marshall <petermarshall@chromium.org>
Date: Tue May 02 14:08:23 2017

[builtins] Fix overly strict CHECK in TypedArray.Set.

The existing CHECK assumed that the source and destination could not
have the same buffer, but they actually can as long as the data
ranges do not overlap within the buffer. Change the check to look for
this more relaxed condition instead.

Moved the check outside of the memcpy case as well, given that it
should also apply for the slower, element-by-element copy as well.

Also use JSTypedArray::element_size() to get the element size instead
of the helper on the FixedTypedArrayBase. This lets us change that
helper back to private again.

Bug:  chromium:717022 

Change-Id: I2eca1df1e87444c5db397e0b7cf686cefe67d29c
Reviewed-on: https://chromium-review.googlesource.com/493147
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45035}
[modify] https://crrev.com/0d582ada5135b4070a9e154e373deb5d6c19f380/src/elements.cc
[modify] https://crrev.com/0d582ada5135b4070a9e154e373deb5d6c19f380/src/objects.h
[modify] https://crrev.com/0d582ada5135b4070a9e154e373deb5d6c19f380/test/mjsunit/es6/typedarray.js
Project Member

Comment 4 by ClusterFuzz, May 4 2017 

ClusterFuzz has detected this issue as fixed in range 468955:469026.

Detailed report: https://clusterfuzz.com/testcase?key=6373627317714944

Fuzzer: mbarbella_js_mutation
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  source->buffer() != destination->buffer() in elements.cc
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=467620:467639
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=468955:469026

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6373627317714944


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 5 by petermarshall@chromium.org, May 4 2017

Status: Fixed (was: Started)

Sign in to add a comment