New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 723158 link

Starred by 1 user
Status: Verified
Owner:
fran...@chromium.org
Last visit > 30 days ago
Closed: Jul 2017
Cc:
mstarzinger@chromium.org
awhalley@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

CHECK failure: IrOpcode::kFrameState == state->op()->opcode() in instruction-selector.cc

Project Member Reported by ClusterFuzz, May 17 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5341429806399488

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  IrOpcode::kFrameState == state->op()->opcode() in instruction-selector.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 44636:44637

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5341429806399488


Additional requirements: Requires Gestures

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by clemensh@chromium.org, May 17 2017

Owner: fran...@chromium.org
Status: Assigned (was: Untriaged)
Hey Franzi,

your CL 947a0437668ce21392358634494543a664c6b123 introduced the crash with the following error message:

#
# Fatal error in ../../src/runtime/runtime-object.cc, line 697
# Check failed: args[0]->IsString().
#

Your CL de04df74129bba5539c6b887a2d2c81015fff866 turned the error into

#
# Fatal error in ../../src/compiler/instruction-selector.cc, line 570
# Check failed: IrOpcode::kFrameState == state->op()->opcode() (FrameState vs. 0).
#

Can you take a look please?
Project Member

Comment 2 by ClusterFuzz, May 19 2017

Labels: Stability-Memory-AddressSanitizer
Detailed report: https://clusterfuzz.com/testcase?key=6078621684072448

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  IrOpcode::kFrameState == state->op()->opcode() in instruction-selector.cc
  v8::internal::compiler::InstructionSelector::AddInputsToFrameStateDescriptor
  v8::internal::compiler::InstructionSelector::InitializeCallBuffer
  
Sanitizer: address (ASAN)

Regressed: V8: 43955:43956

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6078621684072448


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 3 by och...@chromium.org, May 24 2017

Labels: Type-Bug-Security
Applying security view restrictions to all v8 CHECK/DCHECK failures.

(CHECKs aren't security, but we have no way to distinguish these right now).

Comment 4 by aarya@google.com, May 25 2017

Cc: mstarzinger@chromium.org
Project Member

Comment 5 by ClusterFuzz, May 26 2017 

Detailed report: https://clusterfuzz.com/testcase?key=4738652604465152

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  IrOpcode::kFrameState == state->op()->opcode() in instruction-selector.cc
  v8::internal::compiler::InstructionSelector::AddInputsToFrameStateDescriptor
  v8::internal::compiler::InstructionSelector::InitializeCallBuffer
  
Sanitizer: address (ASAN)

Regressed: V8: 43955:43956

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4738652604465152


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 6 by ClusterFuzz, May 26 2017 

Detailed report: https://clusterfuzz.com/testcase?key=4738652604465152

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  IrOpcode::kFrameState == state->op()->opcode() in instruction-selector.cc
  v8::internal::compiler::InstructionSelector::AddInputsToFrameStateDescriptor
  v8::internal::compiler::InstructionSelector::InitializeCallBuffer
  
Sanitizer: address (ASAN)

Regressed: V8: 43955:43956

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4738652604465152


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 7 by mbarbe...@chromium.org, Jun 6 2017

Labels: Security_Severity-High Security_Impact-Beta
Project Member

Comment 8 by sheriffbot@chromium.org, Jun 6 2017 

franzih: Uh oh! This issue still open and hasn't been updated in the last 20 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by sheriffbot@chromium.org, Jun 6 2017

Labels: M-59
Project Member

Comment 10 by sheriffbot@chromium.org, Jun 6 2017

Labels: ReleaseBlock-Stable
Project Member

Comment 11 by sheriffbot@chromium.org, Jun 7 2017

Labels: -Security_Impact-Beta Security_Impact-Stable

Comment 12 by abdulsyed@chromium.org, Jun 7 2017

Cc: awhalley@chromium.org
+ Andrew - can you please review for M59?

Comment 13 by fran...@chromium.org, Jun 7 2017 

This is behind an experimental flag, --type-profile. Shouldn't be an issue because nobody should use it.

Comment 14 by fran...@chromium.org, Jun 8 2017

Labels: -Security_Impact-Stable -Security_Severity-High -ReleaseBlock-Stable -M-59

Comment 15 by rsesek@chromium.org, Jun 9 2017

Labels: Security_Severity-High Security_Impact-None
Restoring severity label but marking as no-impact.
Project Member

Comment 16 by ClusterFuzz, Jun 27 2017 

ClusterFuzz has detected this issue as fixed in range 46230:46231.

Detailed report: https://clusterfuzz.com/testcase?key=5341429806399488

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  IrOpcode::kFrameState == state->op()->opcode() in instruction-selector.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 44636:44637
Fixed: V8: 46230:46231

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5341429806399488


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 17 by ClusterFuzz, Jul 14 2017 

ClusterFuzz has detected this issue as fixed in range 46650:46651.

Detailed report: https://clusterfuzz.com/testcase?key=4738652604465152

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  IrOpcode::kFrameState == state->op()->opcode() in instruction-selector.cc
  v8::internal::compiler::InstructionSelector::AddInputsToFrameStateDescriptor
  v8::internal::compiler::InstructionSelector::InitializeCallBuffer
  
Sanitizer: address (ASAN)

Regressed: V8: 43955:43956
Fixed: V8: 46650:46651

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4738652604465152


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 18 by ClusterFuzz, Jul 14 2017 

ClusterFuzz has detected this issue as fixed in range 46650:46651.

Detailed report: https://clusterfuzz.com/testcase?key=6078621684072448

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  IrOpcode::kFrameState == state->op()->opcode() in instruction-selector.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 43955:43956
Fixed: V8: 46650:46651

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6078621684072448


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 19 by mstarzinger@chromium.org, Jul 14 2017 

Support for tail calls was removed. I think this is no longer an issue.
Project Member

Comment 20 by ClusterFuzz, Jul 14 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4738652604465152 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 21 by sheriffbot@chromium.org, Jul 14 2017

Labels: Restrict-View-SecurityNotify
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 22 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment