New issue
Advanced search Search tips

Issue 727219 link

Starred by 1 user
Status: Fixed
Owner:
clemensh@chromium.org
Closed: May 2017
Cc:
ahaas@chromium.org
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

CHECK failure: deopt_data->get(this_idx)->IsUndefined(isolate) in wasm-module.cc

Project Member Reported by ClusterFuzz, May 29 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5533530657652736

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  deopt_data->get(this_idx)->IsUndefined(isolate) in wasm-module.cc
  InstantiationHelper::LoadTableSegments
  InstantiationHelper::Build
  
Sanitizer: address (ASAN)

Regressed: V8: 43969:43970

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5533530657652736


Issue manually filed by: ishell

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ishell@chromium.org, May 29 2017

Cc: ahaas@chromium.org
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)
CF points to 74daa15ee82e338879b15c3a5ed87e412a6ad2c7. PTAL.

Comment 2 by clemensh@chromium.org, May 29 2017

Status: Started (was: Assigned)

Comment 3 by clemensh@chromium.org, May 29 2017

Labels: -Type-Bug-Security -Security_Impact-Head -Security_Severity-High Pri-2 Type-Bug
Even though a DCHECK fails, this has no security implications. Note that the entry which is supposed to be undefined is set to the correct value immediately after the DCHECK.
The fix is to just reset slots to undefined, such that the DCHECK does not trigger.
Project Member

Comment 4 by bugdroid1@chromium.org, May 29 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/14fae58987762a7a35f1a689172c26dfe5887c45

commit 14fae58987762a7a35f1a689172c26dfe5887c45
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Mon May 29 12:33:57 2017

[asm] Fix reusing code with annotated export info

For lazy compilation, we encode information about table exports in the
deoptimization data. This information is rebuilt on each instantiation,
so we need to reset it when reusing code objects from another instance.

R=ahaas@chromium.org
BUG= chromium:727219 

Change-Id: I90557ef06e692d0a8323223cac26679efcfa408b
Reviewed-on: https://chromium-review.googlesource.com/517945
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45559}
[modify] https://crrev.com/14fae58987762a7a35f1a689172c26dfe5887c45/src/wasm/wasm-module.cc
[add] https://crrev.com/14fae58987762a7a35f1a689172c26dfe5887c45/test/mjsunit/regress/wasm/regression-727219.js

Comment 5 by clemensh@chromium.org, May 29 2017

Labels: -Restrict-View-SecurityTeam
Status: Fixed (was: Started)
Project Member

Comment 6 by ClusterFuzz, May 30 2017 

ClusterFuzz has detected this issue as fixed in range 45558:45559.

Detailed report: https://clusterfuzz.com/testcase?key=5533530657652736

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  deopt_data->get(this_idx)->IsUndefined(isolate) in wasm-module.cc
  InstantiationHelper::LoadTableSegments
  InstantiationHelper::Build
  
Sanitizer: address (ASAN)

Regressed: V8: 43969:43970
Fixed: V8: 45558:45559

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5533530657652736


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 7 by mstarzinger@chromium.org, May 30 2017

Cc: mstarzinger@chromium.org
 Issue 715210  has been merged into this issue.

Sign in to add a comment