New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue v8:6436
Last visit > 30 days ago
Closed: May 2017
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security

Sign in to add a comment

Issue 724299: Security: Use after free in WebAssembly async compilation (race condition).

Reported by, May 18 2017 Project Member

Issue description

A queued asynchronous WebAssembly compilation job created by a web worker can later have its V8 Isolate freed when the worker is terminated. If the queued job is run after the worker thread's shutdown, there is a UaF on the Isolate.

The attached testcase consistently gives the following ASan report:

(This needs to be run under a HTTP server for the fetch() to work).

$ python -m SimpleHTTPServer

$ ./chrome http://localhost:8000/index.html

==12995==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b00004d200 at pc 0x563d19348077 bp 0x7fae16a7e8f0 sp 0x7fae16a7e8e8
READ of size 8 at 0x62b00004d200 thread T11 (WorkerPool/1303)
    #0 0x563d19348076 in GetEmbedderData v8/include/v8.h:8847:12
    #1 0x563d19348076 in GetData v8/include/v8.h:9945
    #2 0x563d19348076 in gin::PerIsolateData::From(v8::Isolate*) gin/
    #3 0x563d19350004 in gin::V8Platform::CallOnForegroundThread(v8::Isolate*, v8::Task*) gin/
    #4 0x563d0fbf73af in DoSync<AsyncCompileJob::PrepareAndStartCompile, std::__1::unique_ptr<v8::internal::wasm::WasmModule, std::__1::default_delete<v8::internal::wasm::WasmModule> > > v8/src/wasm/
    #5 0x563d0fbf73af in AsyncCompileJob::DecodeModule::Run() v8/src/wasm/
    #6 0x563d11645b60 in Run base/callback.h:91:12
    #7 0x563d11645b60 in base::(anonymous namespace)::WorkerThread::ThreadMain() base/threading/
    #8 0x563d1154670a in base::(anonymous namespace)::ThreadFunc(void*) base/threading/
    #9 0x7fae51f96183 in start_thread /build/eglibc-MjiXCM/eglibc-2.19/nptl/pthread_create.c:312

0x62b00004d200 is located 0 bytes inside of 24184-byte region [0x62b00004d200,0x62b000053078)
freed by thread T21 (DedicatedWorker) here:
    #0 0x563d0aec1ca2 in operator delete(void*) (/usr/local/google/home/ochang/Downloads/asan-linux-release-472963/chrome+0x3165ca2)
    #1 0x563d0f210eb7 in v8::internal::Isolate::TearDown() v8/src/
    #2 0x563d1933ab69 in gin::IsolateHolder::~IsolateHolder() gin/
    #3 0x563d18f46101 in blink::V8PerIsolateData::~V8PerIsolateData() third_party/WebKit/Source/platform/bindings/V8PerIsolateData.cpp:74:40
    #4 0x563d18f46f3c in blink::V8PerIsolateData::Destroy(v8::Isolate*) third_party/WebKit/Source/platform/bindings/V8PerIsolateData.cpp:129:3
    #5 0x563d1a34590c in blink::WorkerBackingThread::Shutdown() third_party/WebKit/Source/core/workers/WorkerBackingThread.cpp:97:3
4.7 MB Download
28.5 KB View Download

Comment 1 by, May 18 2017

Components: Blink>JavaScript>WebAssembly
Labels: Security_Severity-High Security_Impact-Stable OS-Chrome OS-Linux OS-Mac OS-Windows Pri-1
Status: Assigned (was: Unconfirmed)
neis can you take a look at this issue please?

Comment 2 by ClusterFuzz, May 18 2017

Project Member
ClusterFuzz is analyzing your testcase. Developers can follow the progress at

Comment 3 by, May 19 2017

Assigning to someone working on wasm.

Comment 4 by, May 19 2017


Comment 5 by, May 19 2017

Description: Show this description

Comment 6 by, May 19 2017


Comment 7 by, May 19 2017

Description: Show this description

Comment 8 by, May 19 2017

(sorry, uploaded the wrong .wasm file in the -- fixed this. larger .wasm files will likely make this more reliable to reproduce).

Comment 9 by, May 19 2017

Project Member
Labels: M-58

Comment 10 by, May 19 2017

Description: Show this description

Comment 11 by, May 23 2017

Mergedinto: v8:6436
Status: Duplicate (was: Assigned)

Comment 12 by, Aug 30 2017

Project Member
Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Sign in to add a comment