Issue metadata
Sign in to add a comment
|
Crash in v8::internal::Simulator::DecodeType2 |
|||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6587417334382592 Fuzzer: inferno_js_fuzzer_c Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0xffffffff Crash State: v8::internal::Simulator::DecodeType2 v8::internal::Simulator::InstructionDecode v8::internal::Simulator::CallInternal Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: V8: 41533:41534 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6587417334382592 Issue manually filed by: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6b31174aecbff01f07ce5f5d7f0d90ca41dc8fa2 commit 6b31174aecbff01f07ce5f5d7f0d90ca41dc8fa2 Author: Sathya Gunasekaran <gunasekaran@google.com> Date: Fri May 26 11:18:37 2017 [Promise] Add smi check for species constructor Bug: chromium:726636 Change-Id: Ied6af8c969ed05b7a334238b30930658af060e7d Reviewed-on: https://chromium-review.googlesource.com/516734 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#45537} [modify] https://crrev.com/6b31174aecbff01f07ce5f5d7f0d90ca41dc8fa2/src/builtins/builtins-promise-gen.cc [add] https://crrev.com/6b31174aecbff01f07ce5f5d7f0d90ca41dc8fa2/test/mjsunit/regress/regress-726636.js
,
May 26 2017
,
May 26 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 26 2017
,
May 26 2017
,
May 26 2017
Issue 725536 has been merged into this issue.
,
May 26 2017
Issue 725043 has been merged into this issue.
,
May 27 2017
ClusterFuzz has detected this issue as fixed in range 45536:45537. Detailed report: https://clusterfuzz.com/testcase?key=6587417334382592 Fuzzer: inferno_js_fuzzer_c Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0xffffffff Crash State: v8::internal::Simulator::DecodeType2 v8::internal::Simulator::InstructionDecode v8::internal::Simulator::CallInternal Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: V8: 41533:41534 Fixed: V8: 45536:45537 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6587417334382592 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 27 2017
,
May 27 2017
,
May 30 2017
Issue 726264 has been merged into this issue.
,
May 30 2017
,
Jun 2 2017
,
Jun 2 2017
I think we should probably merge this to M59 as well.
,
Jun 2 2017
This bug requires manual review: We are only 3 days from stable. Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 2 2017
,
Jun 2 2017
per recommendation from awhalley@ over email, let's target this for M60.
,
Jun 3 2017
Raising the severity to high here. On a 32-bit system this bug is probably a lot more useful to an attacker because the bad pointer can address more of the address space (31 bits/32).
,
Jun 4 2017
As discussed with awhalley@ over email, this will be considered for a future respin, but not for Monday's release.
,
Jun 6 2017
,
Jun 7 2017
Has this change been well tested in canary/dev? And is this overall a safe merge?
,
Jun 8 2017
This has been tested in Canary for over a week, and is very straightforward. Should be a safe merge.
,
Jun 8 2017
Thanks for confirming - approving merge for M59.
,
Jun 8 2017
Looks like this is needed in M60, too.
,
Jun 8 2017
Your change meets the bar and is auto-approved for M60. Please go ahead and merge the CL to branch 3112 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/7201a5e19b4e3e48dbcb432faa20de6f6198707f commit 7201a5e19b4e3e48dbcb432faa20de6f6198707f Author: Adam Klein <adamk@chromium.org> Date: Fri Jun 09 17:24:48 2017 Merged: [Promise] Add smi check for species constructor Revision: 6b31174aecbff01f07ce5f5d7f0d90ca41dc8fa2 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=gsathya@chromium.org Bug: chromium:726636 Change-Id: I4750a2708992cd92edaad425eaba531c72a3a87c Reviewed-on: https://chromium-review.googlesource.com/522851 Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/branch-heads/5.9@{#73} Cr-Branched-From: fe9bb7e6e251159852770160cfb21dad3cf03523-refs/heads/5.9.211@{#1} Cr-Branched-From: 70ad23791a21c0dd7ecef8d4d8dd30ff6fc291f6-refs/heads/master@{#44591} [modify] https://crrev.com/7201a5e19b4e3e48dbcb432faa20de6f6198707f/src/builtins/builtins-promise-gen.cc [add] https://crrev.com/7201a5e19b4e3e48dbcb432faa20de6f6198707f/test/mjsunit/regress/regress-726636.js
,
Jun 9 2017
,
Jun 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/d6c8214fe398880af42972da7130573958c5ed7a commit d6c8214fe398880af42972da7130573958c5ed7a Author: Sathya Gunasekaran <gunasekaran@google.com> Date: Fri Jun 09 17:26:15 2017 Merged: [Promise] Add smi check for species constructor Revision: 6b31174aecbff01f07ce5f5d7f0d90ca41dc8fa2 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=adamk@chromium.org Bug: chromium:726636 Change-Id: I415290ca2f3aaff9ec29b285a5883815205f4ddd Reviewed-on: https://chromium-review.googlesource.com/529625 Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/branch-heads/6.0@{#25} Cr-Branched-From: 97dbf624a5eeffb3a8df36d24cdb2a883137385f-refs/heads/6.0.286@{#1} Cr-Branched-From: 12e6f1cb5cd9616da7b9d4a7655c088778a6d415-refs/heads/master@{#45439} [modify] https://crrev.com/d6c8214fe398880af42972da7130573958c5ed7a/src/builtins/builtins-promise-gen.cc [add] https://crrev.com/d6c8214fe398880af42972da7130573958c5ed7a/test/mjsunit/regress/regress-726636.js
,
Jun 10 2017
This bug is a regression and does not impact stable. Removing incorrectly added Release- labels. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 10 2017
removing Merge-Pending label, since fix is already in branch.
,
Jun 10 2017
,
Jun 12 2017
Fixing Security_Impact label to stop sheriffbot incorrectly removing correctly applied release label.
,
Aug 2 2017
Latest Node.js 8.x is affected, but it is imminently going to pick-up V8 6.0 which includes the fix.
,
Sep 2 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||
Comment 1 by ishell@chromium.org
, May 26 2017Owner: gsat...@chromium.org
Status: Assigned (was: Untriaged)
PromiseThen builtin has issues. Reproduces on TOT as follows: out.gn/x64.debug/d8 --predictable test.js ===== test.js ===== Object.defineProperty(Promise, Symbol.species, { value: 0 }); var p = new Promise(function() {}); p.then();