CHECK failure: !isolate_->external_caught_exception() in api.cc |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5677602768683008 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !isolate_->external_caught_exception() in api.cc v8::CallDepthScope<false>::CallDepthScope v8::Object::Get Sanitizer: address (ASAN) Regressed: V8: 44879:44880 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5677602768683008 Issue manually filed by: rossberg See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 8 2017
Detailed report: https://clusterfuzz.com/testcase?key=6044266542661632 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !isolate_->external_caught_exception() in api.cc v8::CallDepthScope<false>::CallDepthScope v8::Promise::Resolver::New Sanitizer: address (ASAN) Regressed: V8: 44879:44880 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6044266542661632 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 8 2017
Detailed report: https://clusterfuzz.com/testcase?key=6472771873013760 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !isolate_->external_caught_exception() in api.cc v8::CallDepthScope<false>::CallDepthScope v8::Value::ToString Sanitizer: address (ASAN) Regressed: V8: 44879:44880 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6472771873013760 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 8 2017
Detailed report: https://clusterfuzz.com/testcase?key=6472771873013760 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !isolate_->external_caught_exception() in api.cc v8::CallDepthScope<false>::CallDepthScope v8::Value::ToString Sanitizer: address (ASAN) Regressed: V8: 44879:44880 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6472771873013760 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 9 2017
,
May 10 2017
Minimized repro:
TypeError.prototype.__defineGetter__("name", function() {
Reflect.getPrototypeOf(); // CPP builtin that throws.
});
console.time(new TypeError());
new WebAssembly.Table({}); // DCHECK triggers here when entering Object::Get.
,
May 10 2017
external_caught_exception is set here:
Breakpoint 2, v8::internal::Isolate::PropagatePendingExceptionToExternalTryCatch (this=0x5555555c5ed0) at ../../src/isolate.cc:2633
2633 thread_local_top_.external_caught_exception_ = true;
(gdb) bt
#0 v8::internal::Isolate::PropagatePendingExceptionToExternalTryCatch (this=0x5555555c5ed0) at ../../src/isolate.cc:2633
#1 0x00007ffff70b596b in v8::internal::Isolate::ReportPendingMessages (this=0x5555555c5ed0) at ../../src/isolate.cc:1764
#2 0x00007ffff6f09cd2 in v8::internal::(anonymous namespace)::Invoke (isolate=0x5555555c5ed0, is_construct=false, target=...,
receiver=..., argc=0, args=0x0, new_target=..., message_handling=v8::internal::Execution::MessageHandling::kReport)
at ../../src/execution.cc:160
#3 0x00007ffff6f09482 in v8::internal::(anonymous namespace)::CallInternal (isolate=0x5555555c5ed0, callable=..., receiver=..., argc=0,
argv=0x0, message_handling=v8::internal::Execution::MessageHandling::kReport) at ../../src/execution.cc:181
#4 0x00007ffff6f0932a in v8::internal::Execution::Call (isolate=0x5555555c5ed0, callable=..., receiver=..., argc=0, argv=0x0)
at ../../src/execution.cc:191
#5 0x00007ffff714a547 in v8::internal::JSReceiver::OrdinaryToPrimitive (receiver=...,
hint=v8::internal::OrdinaryToPrimitiveHint::kString) at ../../src/objects.cc:8154
#6 0x00007ffff711a117 in v8::internal::JSReceiver::ToPrimitive (receiver=..., hint=v8::internal::ToPrimitiveHint::kString)
at ../../src/objects.cc:8127
#7 0x00007ffff711a9e0 in v8::internal::Object::ConvertToString (isolate=0x5555555c5ed0, input=...) at ../../src/objects.cc:256
#8 0x00007ffff68274ec in v8::internal::Object::ToString (isolate=0x5555555c5ed0, input=...) at ../../src/objects-inl.h:1179
#9 0x00007ffff67f6cc5 in v8::Value::ToString (this=0x7fffffffcf68, context=...) at ../../src/api.cc:3643
#10 0x0000555555570fa7 in v8::(anonymous namespace)::WriteToFile (file=0x7ffff5e88400 <_IO_2_1_stdout_>, isolate=0x5555555c5ed0, args=...)
at ../../src/d8-console.cc:23
#11 0x0000555555570e4b in v8::D8Console::Log (this=0x7fffffffd9f8, args=...) at ../../src/d8-console.cc:45
#12 0x00007ffff6939dbf in v8::internal::Builtin_Impl_ConsoleLog (args=..., isolate=0x5555555c5ed0)
at ../../src/builtins/builtins-console.cc:53
#13 0x00007ffff6939be6 in v8::internal::Builtin_ConsoleLog (args_length=5, args_object=0x7fffffffcf70, isolate=0x5555555c5ed0)
at ../../src/builtins/builtins-console.cc:53
,
May 10 2017
Further minimized repro:
TypeError.prototype.__defineGetter__("name", () => { throw 42; });
console.log({ toString: () => { throw new TypeError() }});
new WebAssembly.Table({});
I think I now understand what's going on (and console.log is innocent).
The relevant parts of the repro are:
* The "name" getter on the TypeError prototype causes error formatting to fail.
* console.log itself is irrelevant, all that matters is that we have an external handler when the exception is thrown.
* Likewise for WebAssembly.Table, which just triggers the DCHECK in Object::Get.
The sequence is this:
1. ToString conversion from within console.log throws. external_caught_exception is set by Isolate::PropagatePendingExceptionToExternalTryCatch.
2. external_caught_exception is set to false and pending_exception is cleared by Isolate::OptionalRescheduleException.
3. TryCatch::StackTrace triggers error formatting. This throws again (twice) because formatting accesses TypeError.prototype.name - which throws. Again we go into Isolate::PropagatePendingExceptionToExternalTryCatch.
4. AppendErrorString [0] only clears the pending exception but does not touch external_caught_exception.
5. The WebAssembly.Table call triggers the failing DCHECK.
The problem is that handling in step 4. is incomplete - I guess it should also call PropagatePendingExceptionToExternalTryCatch or similar.
[0] https://cs.chromium.org/chromium/src/v8/src/messages.cc?type=cs&q=AppendErrorString+package:%5Echromium$&l=881
,
May 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f9c4fc0d204cd3f557712b255119952e41cbc4ad commit f9c4fc0d204cd3f557712b255119952e41cbc4ad Author: jgruber <jgruber@chromium.org> Date: Thu May 11 06:35:53 2017 [error] Clear external_caught_exception in Error formatting Clearing the pending exception is not enough - if we want to swallow an exception while currently on top of an external handler (e.g. TryCatch), we also need to clear external_caught_exception. BUG= chromium:719380 Review-Url: https://codereview.chromium.org/2870423002 Cr-Commit-Position: refs/heads/master@{#45247} [modify] https://crrev.com/f9c4fc0d204cd3f557712b255119952e41cbc4ad/src/messages.cc [add] https://crrev.com/f9c4fc0d204cd3f557712b255119952e41cbc4ad/test/mjsunit/regress/regress-719380.js
,
May 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f9c4fc0d204cd3f557712b255119952e41cbc4ad commit f9c4fc0d204cd3f557712b255119952e41cbc4ad Author: jgruber <jgruber@chromium.org> Date: Thu May 11 06:35:53 2017 [error] Clear external_caught_exception in Error formatting Clearing the pending exception is not enough - if we want to swallow an exception while currently on top of an external handler (e.g. TryCatch), we also need to clear external_caught_exception. BUG= chromium:719380 Review-Url: https://codereview.chromium.org/2870423002 Cr-Commit-Position: refs/heads/master@{#45247} [modify] https://crrev.com/f9c4fc0d204cd3f557712b255119952e41cbc4ad/src/messages.cc [add] https://crrev.com/f9c4fc0d204cd3f557712b255119952e41cbc4ad/test/mjsunit/regress/regress-719380.js
,
May 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f9c4fc0d204cd3f557712b255119952e41cbc4ad commit f9c4fc0d204cd3f557712b255119952e41cbc4ad Author: jgruber <jgruber@chromium.org> Date: Thu May 11 06:35:53 2017 [error] Clear external_caught_exception in Error formatting Clearing the pending exception is not enough - if we want to swallow an exception while currently on top of an external handler (e.g. TryCatch), we also need to clear external_caught_exception. BUG= chromium:719380 Review-Url: https://codereview.chromium.org/2870423002 Cr-Commit-Position: refs/heads/master@{#45247} [modify] https://crrev.com/f9c4fc0d204cd3f557712b255119952e41cbc4ad/src/messages.cc [add] https://crrev.com/f9c4fc0d204cd3f557712b255119952e41cbc4ad/test/mjsunit/regress/regress-719380.js
,
May 11 2017
,
May 11 2017
ClusterFuzz has detected this issue as fixed in range 45246:45247. Detailed report: https://clusterfuzz.com/testcase?key=6472771873013760 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !isolate_->external_caught_exception() in api.cc v8::CallDepthScope<false>::CallDepthScope v8::Value::ToString Sanitizer: address (ASAN) Regressed: V8: 44879:44880 Fixed: V8: 45246:45247 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6472771873013760 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 11 2017
ClusterFuzz has detected this issue as fixed in range 45246:45247. Detailed report: https://clusterfuzz.com/testcase?key=6044266542661632 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !isolate_->external_caught_exception() in api.cc v8::CallDepthScope<false>::CallDepthScope v8::Promise::Resolver::New Sanitizer: address (ASAN) Regressed: V8: 44879:44880 Fixed: V8: 45246:45247 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6044266542661632 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 12 2017
ClusterFuzz has detected this issue as fixed in range 45246:45247. Detailed report: https://clusterfuzz.com/testcase?key=5677602768683008 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !isolate_->external_caught_exception() in api.cc v8::CallDepthScope<false>::CallDepthScope v8::Object::Get Sanitizer: address (ASAN) Regressed: V8: 44879:44880 Fixed: V8: 45246:45247 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5677602768683008 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||
►
Sign in to add a comment |
||||
Comment 1 by rossberg@chromium.org
, May 8 2017Status: Assigned (was: Untriaged)