Issue metadata
Sign in to add a comment
|
Security: Crash in WTF::ArrayBufferContents::FreeMemory()
Reported by
chromium...@gmail.com,
Jun 6 2017
|
|||||||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 61.0.3122.0 (Developer Build) (64-bit) Operating System: All 1. Enable #enable-webassembly 2. Open index.html Received signal 11 SEGV_MAPERR 39fbed80103c #0 0x5555577de687 base::debug::StackTrace::StackTrace() #1 0x5555577de1ff base::debug::(anonymous namespace)::StackDumpSignalHandler() #2 0x7ffff7bcb390 <unknown> #3 0x55555a73ae5e WTF::ArrayBufferContents::FreeMemory() #4 0x55555a73a9f6 WTF::ArrayBufferContents::~ArrayBufferContents() #5 0x55555aa6e107 blink::DOMArrayBuffer::~DOMArrayBuffer() #6 0x55555739feb2 blink::NormalPage::Sweep() #7 0x55555739de49 blink::BaseArena::CompleteSweep() #8 0x5555573a31d6 blink::ThreadState::CompleteSweep() #9 0x5555573a39d9 blink::ThreadState::CollectGarbage() #10 0x55555a77144d blink::V8GCController::GcEpilogue() #11 0x555556f22e41 v8::internal::Heap::PerformGarbageCollection() #12 0x555556f21a1f v8::internal::Heap::CollectGarbage() #13 0x555556f21db1 v8::internal::Heap::ReportExternalMemoryPressure() #14 0x55555720f8a9 v8::internal::wasm::NewArrayBuffer() #15 0x555557221c85 v8::internal::WasmMemoryObject::Grow() #16 0x555557208faa v8::(anonymous namespace)::WebAssemblyMemoryGrow() #17 0x555556ba70ba v8::internal::FunctionCallbackArguments::Call() #18 0x555556c26516 v8::internal::(anonymous namespace)::HandleApiCallHelper<>() #19 0x555556c25a3f v8::internal::Builtin_Impl_HandleApiCall() #20 0x1cccae3046fd <unknown> r8: 0000000000000002 r9: 00007fffffff9f98 r10: 000000000002175e r11: 000ddc1c8652a933 r12: 0000096b61050108 r13: 000039fbed801020 r14: 000039fbed804000 r15: 000005515909f000 di: 000039fbed804000 si: 0000000000000001 bp: 0000055159085b70 bx: 0000096b610601b0 dx: 00000000616fb9b9 ax: 000039fbed800000 cx: 0000000000000020 sp: 00007fffffff9d70 ip: 000055555a73ae5e efl: 0000000000010202 cgf: 002b000000000033 erf: 0000000000000004 trp: 000000000000000e msk: 0000000000000000 cr2: 000039fbed80103c
,
Jun 6 2017
crash/746c4051f0000000
,
Jun 6 2017
ASan windows build output:
==3436==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x1c521800 in thread T0
#0 0x3da30a (C:\Users\admin\Desktop\asan-win32-release-477152\chrome.exe+0x75a30a)
#1 0x5c3c6311 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x1a7b6311)
#2 0x5c3c623d (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x1a7b623d)
#3 0x589a9188 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x16d99188)
#4 0x5c48e6b8 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x1a87e6b8)
#5 0x5efcd271 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x1d3bd271)
#6 0x54a99a58 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x12e89a58)
#7 0x54aa1f51 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x12e91f51)
#8 0x54a9b735 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x12e8b735)
#9 0x54a9bfbf (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x12e8bfbf)
#10 0x54aa9a60 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x12e99a60)
#11 0x54ab49f0 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x12ea49f0)
#12 0x54aaac2b (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x12e9ac2b)
#13 0x5c4d1cd4 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x1a8c1cd4)
#14 0x537898ed (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x11b798ed)
#15 0x5378eeb0 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x11b7eeb0)
#16 0x5378a991 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x11b7a991)
#17 0x5378c205 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x11b7c205)
#18 0x537a17a7 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x11b917a7)
#19 0x537a153b (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x11b9153b)
#20 0x53cefaa8 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x120dfaa8)
#21 0x54548a8a (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x12938a8a)
#22 0x5459947e (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x1298947e)
#23 0x54598360 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x12988360)
#24 0x54528b38 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x12918b38)
#25 0x527d01d5 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x10bc01d5)
#26 0x52a2b6d2 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x10e1b6d2)
#27 0x52a283e1 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x10e183e1)
#28 0x52a27841 (C:\Users\admin\Desktop\asan-win32-release-477152\chrome_child.dll+0x10e17841)
Address 0x1c521800 is a wild pointer.
SUMMARY: AddressSanitizer: bad-free (C:\Users\admin\Desktop\asan-win32-release-477152\chrome.exe+0x75a30a)
==3436==ABORTING
,
Jun 6 2017
,
Jun 6 2017
I've seen crashes like this recently when V8 and Blink disagree on whether an array buffer had guard regions. That said, guard regions are only used when the Wasm trap handler is enabled, which it is not yet by default and it is not even implemented at all on Windows yet. I will see if I can get a repro.
,
Jun 7 2017
There is no need to enable #enable-webassembly, I can repro this without it.
,
Jun 8 2017
Any updates?
,
Jun 8 2017
I'm able to repro the bug on Windows and also on Linux. On Windows we get a crash, even without asan enabled. On Linux it crashes only with asan. bradnelson@ is looking at another crash involving the same .wasm binary, which is probably related. I'm still not sure of the root cause, but I will be looking into it in more depth today.
,
Jun 8 2017
,
Jun 8 2017
This bug seems related to https://bugs.chromium.org/p/chromium/issues/detail?id=731046 and https://bugs.chromium.org/p/chromium/issues/detail?id=729768
,
Jun 8 2017
,
Jun 9 2017
After talking with gdeepti@ about this today, my best guess is that when GrowMemory happens, we somehow end up with two ArrayBuffers pointing to the same backing store. When the GC goes to clean up the old one, it ends up freeing the backing store, which causes problems because the new ArrayBuffer still points to the old backing store. This would eventually lead to crashes and double frees similar to this one. I've been trying to produce a smaller test case to test this theory, but so far haven't been able to. It seems like there are a few cases where detaching or neutering ArrayBuffers is not quite working as intended, which I expect could also cause crashes like this. In particular, the TODO linked below seems like it could be relevant: https://cs.chromium.org/chromium/src/v8/src/builtins/builtins-typedarray-gen.cc?l=434&rcl=ad03fc48a4772d109cd6705ecb2bbe00f19d5819 Peter, could you take a look too? Any chance the fact we can create a typed array from a detached buffer could be causing problems?
,
Jun 9 2017
,
Jun 10 2017
We've figured out the problem and will have a fix out for review shortly.
,
Jun 11 2017
Users experienced this crash on the following builds: Linux Dev 60.0.3112.20 - 1.46 CPM, 3 reports, 1 clients (signature blink::DOMArrayBufferBase::~DOMArrayBufferBase) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Jun 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/51acfb044f58b88f1eae6d43278698ebbfaee09f commit 51acfb044f58b88f1eae6d43278698ebbfaee09f Author: Eric Holk <eholk@chromium.org> Date: Tue Jun 13 01:14:55 2017 [wasm] Do not free externalized buffers when detaching Once a buffer has been externalized, V8 is no longer responsible for managing the memory. The fact that V8 was freeing was leading to double free errors once Blink's GC got around to freeing the buffer too. Bug: chromium:730171 , chromium:731046 Change-Id: Ib18a7e37cafd51bce0c5a983d5cf8f3e64eb2c13 Reviewed-on: https://chromium-review.googlesource.com/530132 Commit-Queue: Brad Nelson <bradnelson@chromium.org> Reviewed-by: Brad Nelson <bradnelson@chromium.org> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> Cr-Commit-Position: refs/heads/master@{#45882} [modify] https://crrev.com/51acfb044f58b88f1eae6d43278698ebbfaee09f/src/wasm/wasm-module.cc [modify] https://crrev.com/51acfb044f58b88f1eae6d43278698ebbfaee09f/test/cctest/wasm/test-run-wasm-module.cc
,
Jun 13 2017
We should merge this to M60 (as it contains the CL that prompted this).
,
Jun 13 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 14 2017
This bug requires manual review: M60 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 14 2017
,
Jun 14 2017
+awhalley@ for review.
,
Jun 16 2017
Security bug - approving for M60.
,
Jun 20 2017
,
Jun 20 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 21 2017
,
Jun 26 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/8180be6eec5103e82ddb22e5bbe31adbb334dfbe commit 8180be6eec5103e82ddb22e5bbe31adbb334dfbe Author: Deepti Gandluri <gdeepti@google.com> Date: Tue Jun 27 17:44:55 2017 Merged: [wasm] Do not free externalized buffers when detaching Revision: 51acfb044f58b88f1eae6d43278698ebbfaee09f BUG= chromium:730171 ,chromium:731046 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=bradnelson@chromium.org Change-Id: I290637e9861c96f7e6bbe9db76c21a592dadd91e Reviewed-on: https://chromium-review.googlesource.com/549496 Commit-Queue: Brad Nelson <bradnelson@chromium.org> Reviewed-by: Brad Nelson <bradnelson@chromium.org> Cr-Commit-Position: refs/branch-heads/6.0@{#45} Cr-Branched-From: 97dbf624a5eeffb3a8df36d24cdb2a883137385f-refs/heads/6.0.286@{#1} Cr-Branched-From: 12e6f1cb5cd9616da7b9d4a7655c088778a6d415-refs/heads/master@{#45439} [modify] https://crrev.com/8180be6eec5103e82ddb22e5bbe31adbb334dfbe/src/wasm/wasm-module.cc [modify] https://crrev.com/8180be6eec5103e82ddb22e5bbe31adbb334dfbe/test/cctest/wasm/test-run-wasm-module.cc
,
Jun 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/bf8fc017b43a7ade1463f647851d13422d2a737e commit bf8fc017b43a7ade1463f647851d13422d2a737e Author: Michael Achenbach <machenbach@chromium.org> Date: Wed Jun 28 06:52:11 2017 Revert "Merged: [wasm] Do not free externalized buffers when detaching" This reverts commit 8180be6eec5103e82ddb22e5bbe31adbb334dfbe. Reason for revert: Breaks compilation on beta: https://build.chromium.org/p/client.v8.branches/builders/V8%20Linux%20-%20beta%20branch/builds/587 Original change's description: > Merged: [wasm] Do not free externalized buffers when detaching > > Revision: 51acfb044f58b88f1eae6d43278698ebbfaee09f > > BUG= chromium:730171 ,chromium:731046 > LOG=N > NOTRY=true > NOPRESUBMIT=true > NOTREECHECKS=true > R=bradnelson@chromium.org > > Change-Id: I290637e9861c96f7e6bbe9db76c21a592dadd91e > Reviewed-on: https://chromium-review.googlesource.com/549496 > Commit-Queue: Brad Nelson <bradnelson@chromium.org> > Reviewed-by: Brad Nelson <bradnelson@chromium.org> > Cr-Commit-Position: refs/branch-heads/6.0@{#45} > Cr-Branched-From: 97dbf624a5eeffb3a8df36d24cdb2a883137385f-refs/heads/6.0.286@{#1} > Cr-Branched-From: 12e6f1cb5cd9616da7b9d4a7655c088778a6d415-refs/heads/master@{#45439} TBR=bradnelson@chromium.org,gdeepti@chromium.org Change-Id: I4cebe11da241dfef4f3c4e950bbb4e55a52c09cf No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:730171 , chromium:731046 Reviewed-on: https://chromium-review.googlesource.com/551737 Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/branch-heads/6.0@{#47} Cr-Branched-From: 97dbf624a5eeffb3a8df36d24cdb2a883137385f-refs/heads/6.0.286@{#1} Cr-Branched-From: 12e6f1cb5cd9616da7b9d4a7655c088778a6d415-refs/heads/master@{#45439} [modify] https://crrev.com/bf8fc017b43a7ade1463f647851d13422d2a737e/src/wasm/wasm-module.cc [modify] https://crrev.com/bf8fc017b43a7ade1463f647851d13422d2a737e/test/cctest/wasm/test-run-wasm-module.cc
,
Jun 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/bf8fc017b43a7ade1463f647851d13422d2a737e commit bf8fc017b43a7ade1463f647851d13422d2a737e Author: Michael Achenbach <machenbach@chromium.org> Date: Wed Jun 28 06:52:11 2017 Revert "Merged: [wasm] Do not free externalized buffers when detaching" This reverts commit 8180be6eec5103e82ddb22e5bbe31adbb334dfbe. Reason for revert: Breaks compilation on beta: https://build.chromium.org/p/client.v8.branches/builders/V8%20Linux%20-%20beta%20branch/builds/587 Original change's description: > Merged: [wasm] Do not free externalized buffers when detaching > > Revision: 51acfb044f58b88f1eae6d43278698ebbfaee09f > > BUG= chromium:730171 ,chromium:731046 > LOG=N > NOTRY=true > NOPRESUBMIT=true > NOTREECHECKS=true > R=bradnelson@chromium.org > > Change-Id: I290637e9861c96f7e6bbe9db76c21a592dadd91e > Reviewed-on: https://chromium-review.googlesource.com/549496 > Commit-Queue: Brad Nelson <bradnelson@chromium.org> > Reviewed-by: Brad Nelson <bradnelson@chromium.org> > Cr-Commit-Position: refs/branch-heads/6.0@{#45} > Cr-Branched-From: 97dbf624a5eeffb3a8df36d24cdb2a883137385f-refs/heads/6.0.286@{#1} > Cr-Branched-From: 12e6f1cb5cd9616da7b9d4a7655c088778a6d415-refs/heads/master@{#45439} TBR=bradnelson@chromium.org,gdeepti@chromium.org Change-Id: I4cebe11da241dfef4f3c4e950bbb4e55a52c09cf No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:730171 , chromium:731046 Reviewed-on: https://chromium-review.googlesource.com/551737 Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/branch-heads/6.0@{#47} Cr-Branched-From: 97dbf624a5eeffb3a8df36d24cdb2a883137385f-refs/heads/6.0.286@{#1} Cr-Branched-From: 12e6f1cb5cd9616da7b9d4a7655c088778a6d415-refs/heads/master@{#45439} [modify] https://crrev.com/bf8fc017b43a7ade1463f647851d13422d2a737e/src/wasm/wasm-module.cc [modify] https://crrev.com/bf8fc017b43a7ade1463f647851d13422d2a737e/test/cctest/wasm/test-run-wasm-module.cc
,
Jul 10 2017
Please merge this to M60 ASAP. branch:3112
,
Jul 10 2017
,
Jul 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/09ea96cc0e2e58ea843533375b6afd36e952f3e2 commit 09ea96cc0e2e58ea843533375b6afd36e952f3e2 Author: Eric Holk <eholk@chromium.org> Date: Thu Jul 13 18:36:28 2017 Merged: [wasm] Do not free externalized buffers when detaching Revision: 51acfb044f58b88f1eae6d43278698ebbfaee09f BUG= chromium:730171 ,chromium:731046 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=mtrofin@chromium.org Change-Id: Ie63246236b6edb1f70564be9e96891060d31fafc Reviewed-on: https://chromium-review.googlesource.com/570673 Reviewed-by: Mircea Trofin <mtrofin@chromium.org> Commit-Queue: Eric Holk <eholk@chromium.org> Cr-Commit-Position: refs/branch-heads/6.0@{#71} Cr-Branched-From: 97dbf624a5eeffb3a8df36d24cdb2a883137385f-refs/heads/6.0.286@{#1} Cr-Branched-From: 12e6f1cb5cd9616da7b9d4a7655c088778a6d415-refs/heads/master@{#45439} [modify] https://crrev.com/09ea96cc0e2e58ea843533375b6afd36e952f3e2/src/wasm/wasm-module.cc [modify] https://crrev.com/09ea96cc0e2e58ea843533375b6afd36e952f3e2/test/cctest/wasm/test-run-wasm-module.cc
,
Jul 18 2017
,
Jul 26 2017
,
Sep 19 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||||
Comment 1 by chromium...@gmail.com
, Jun 6 2017