Applying security view restrictions to all v8 CHECK/DCHECK failures.

(CHECKs aren't security, but we have no way to distinguish these right now).

Detailed report: https://clusterfuzz.com/testcase?key=6007995107639296

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  interrupt_address == isolate->builtins()->InterruptCheck()->entry() in full-code
  v8::internal::BackEdgeTable::GetBackEdgeState
  v8::internal::BackEdgeTable::Verify
  
Sanitizer: address (ASAN)

Regressed: V8: 45496:45497

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6007995107639296


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

CF points to c15b3ffc773ef7b14655b59b1ce1437de903fdc0.

Reproduces on TOT, something back-edge-patching related:

out.gn/arm.debug/d8 --predictable --no-turbo --cache=code --no-lazy test.js

===== test.js =====
function f() {
  var n = a.length;
  for (var i = 0; i < n; i++) {
  }
  for (var i = 0; i < n; i++) {
  }
}
var a = "xxxxxxxxxxxxxxxxxxxxxxxxx";
while (a.length < 100000) a = a + a;
f();



#0  v8::base::OS::Abort () at ../../src/base/platform/platform-posix.cc:261
#1  0xf58baf61 in V8_Fatal (file=0xf7bcc511 "../../src/full-codegen/arm/full-codegen-arm.cc", line=2842, 
    format=0xf7b0afe7 "Check failed: %s.") at ../../src/base/logging.cc:74
#2  0xf7963f1c in v8::internal::BackEdgeTable::GetBackEdgeState (isolate=0x565e2d10, unoptimized_code=0x4e4068c1, 
    pc=0x4e406ad8 "\344 \237", <incomplete sequence \345>) at ../../src/full-codegen/arm/full-codegen-arm.cc:2841
#3  0xf701577d in v8::internal::BackEdgeTable::Patch (isolate=0x565e2d10, unoptimized=0x4e4068c1)
    at ../../src/full-codegen/full-codegen.cc:1499
#4  0xf7529127 in v8::internal::RuntimeProfiler::AttemptOnStackReplacement (this=0x56611ae8, frame=0xffffaf5c, 
    loop_nesting_levels=1) at ../../src/runtime-profiler.cc:187
#5  0xf752951b in v8::internal::RuntimeProfiler::MaybeOptimizeFullCodegen (this=0x56611ae8, function=0x22b9bbbd, 
    frame=0xffffaf5c, frame_count=1) at ../../src/runtime-profiler.cc:232
#6  0xf752a43a in v8::internal::RuntimeProfiler::MarkCandidatesForOptimization (this=0x56611ae8)
    at ../../src/runtime-profiler.cc:453
#7  0xf6f98547 in v8::internal::StackGuard::HandleInterrupts (this=0x565e3ac8) at ../../src/execution.cc:497
#8  0xf75a7d5a in v8::internal::__RT_impl_Runtime_Interrupt (args=..., isolate=0x565e2d10)
    at ../../src/runtime/runtime-internal.cc:324
#9  0xf75a7a5d in v8::internal::Runtime_Interrupt (args_length=0, args_object=0xf0368ef4, isolate=0x565e2d10)
    at ../../src/runtime/runtime-internal.cc:321
#10 0xf785b595 in v8::internal::Simulator::SoftwareInterrupt (this=0x56608170, instr=0x566cd65c)
    at ../../src/arm/simulator-arm.cc:1958
#11 0xf786235f in v8::internal::Simulator::DecodeType7 (this=0x56608170, instr=0x566cd65c)
    at ../../src/arm/simulator-arm.cc:3183
#12 0xf7855c4d in v8::internal::Simulator::InstructionDecode (this=0x56608170, instr=0x566cd65c)
    at ../../src/arm/simulator-arm.cc:5805
#13 0xf7870439 in v8::internal::Simulator::Execute (this=0x56608170) at ../../src/arm/simulator-arm.cc:5832
#14 0xf7870931 in v8::internal::Simulator::CallInternal (this=0x56608170, 
    entry=0x55406040 "\360O-\351\020\213", <incomplete sequence \355>) at ../../src/arm/simulator-arm.cc:5889
#15 0xf7871327 in v8::internal::Simulator::Call (this=0x56608170, 
    entry=0x55406040 "\360O-\351\020\213", <incomplete sequence \355>, argument_count=5)
    at ../../src/arm/simulator-arm.cc:5940
#16 0xf6f96d7f in v8::internal::(anonymous namespace)::Invoke (isolate=0x565e2d10, is_construct=false, target=..., 
    receiver=..., argc=0, args=0x0, new_target=..., message_handling=v8::internal::Execution::MessageHandling::kReport)
    at ../../src/execution.cc:145
#17 0xf6f96182 in v8::internal::(anonymous namespace)::CallInternal (isolate=0x565e2d10, callable=..., receiver=..., argc=0, 
    argv=0x0, message_handling=v8::internal::Execution::MessageHandling::kReport) at ../../src/execution.cc:181
#18 0xf6f95f8f in v8::internal::Execution::Call (isolate=0x565e2d10, callable=..., receiver=..., argc=0, argv=0x0)
    at ../../src/execution.cc:191
#19 0xf65a12fd in v8::Script::Run (this=0x568229e4, context=...) at ../../src/api.cc:2039
#20 0x5658ffb0 in v8::Shell::ExecuteString (isolate=0x565e2d10, source=..., name=..., print_result=false, 
    report_exceptions=true) at ../../src/d8.cc:574
#21 0x5659e900 in v8::SourceGroup::Execute (this=0x565e100c, isolate=0x565e2d10) at ../../src/d8.cc:2290
#22 0x565a1673 in v8::Shell::RunMain (isolate=0x565e2d10, argc=6, argv=0xffffc454, last_run=true) at ../../src/d8.cc:2717
#23 0x565a22ef in v8::Shell::Main (argc=6, argv=0xffffc454) at ../../src/d8.cc:3167
#24 0x565a26b2 in main (argc=6, argv=0xffffc454) at ../../src/d8.cc:3199

Some fullcodegen bug it seems. Michi can you take a look when you have time?

Interesting. Will investigate ...

The problem is that the constant pool entry for the interrupt check (which is later on being patched for OSR) is being shared. This means that patching one OSR entry point essentially patches all of them. This also explains the regression range which points to c15b3ffc773ef7b14655b59b1ce1437de903fdc0.

 Issue 725930  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 45660:45661.

Detailed report: https://clusterfuzz.com/testcase?key=4869287071449088

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  interrupt_address == isolate->builtins()->InterruptCheck()->entry() in full-code
  v8::internal::BackEdgeTable::GetBackEdgeState
  v8::internal::BackEdgeTable::Patch
  
Sanitizer: address (ASAN)

Regressed: V8: 45496:45497
Fixed: V8: 45660:45661

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4869287071449088


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 45660:45661.

Detailed report: https://clusterfuzz.com/testcase?key=6007995107639296

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  interrupt_address == isolate->builtins()->InterruptCheck()->entry() in full-code
  v8::internal::BackEdgeTable::GetBackEdgeState
  v8::internal::BackEdgeTable::Verify
  
Sanitizer: address (ASAN)

Regressed: V8: 45496:45497
Fixed: V8: 45660:45661

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6007995107639296


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Fixed. Kudos and thanks go to Georgia ...

commit 6a99238b9004c8e14b7f86734ef071eac8198212
Author: georgia.kouveli <georgia.kouveli@arm.com>
Date:   Thu Jun 1 06:18:21 2017 -0700

    [arm] Clean up disabling of sharing code target entries.
    
    This fixes an issue with ful-codegen where code target entries for the OSR
    check were being incorrectly shared. We now explicitly disable sharing of code
    target constant pool entries for full-codegen and for calls to builtins from
    WASM code, using a scope.
    
    BUG= chromium:725743 
    
    Review-Url: https://codereview.chromium.org/2922433002
    Cr-Commit-Position: refs/heads/master@{#45661}

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot