New issue
Advanced search Search tips

Issue 732169 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jun 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Ill in v8::internal::TranslatedState::MaterializeCapturedObjectAt

Project Member Reported by ClusterFuzz, Jun 11 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5858264175869952

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: Ill
Crash Address: 0x7ff6a46242e8
Crash State:
  v8::internal::TranslatedState::MaterializeCapturedObjectAt
  v8::internal::TranslatedState::MaterializeAt
  MaterializeObjectAt
  
Sanitizer: address (ASAN)

Regressed: V8: 45514:45515

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5858264175869952


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: neis@chromium.org adamk@chromium.org jgruber@chromium.org
Owner: jarin@chromium.org
Status: Assigned (was: Untriaged)
Reproduces and bisects to a957b0f42468d632b09574e3d6719c704eebbfea.
 Issue 732156  has been merged into this issue.
Cc: mstarzinger@chromium.org
Underlying reason is missing materialization of escape analysed JS_GENERATOR_OBJECT_TYPE instance type objects. Jaro is OOO today, I might take a look. The following is a reduced repro ...

function* f([x]) {}
%OptimizeFunctionOnNextCall(f);
f();
Components: -Blink>JavaScript Blink>JavaScript>Compiler

Comment 5 by jarin@chromium.org, Jun 12 2017

Status: Started (was: Assigned)
Project Member

Comment 6 by bugdroid1@chromium.org, Jun 12 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f555a6922dd1b425ed845370cd01428b3ba46f93

commit f555a6922dd1b425ed845370cd01428b3ba46f93
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Mon Jun 12 11:30:22 2017

[deoptimizer] Add support for materializing Generator objects.

This adds support for materializing objects of {JSGeneratorObject} type
during deoptimization. Cases where soft-deopts remove any escaping use
of the implicit generator object can cause it to be escape analyzed.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-732169
BUG= chromium:732169 

Change-Id: I2ec10b2a509a4f37a456a8ca2fd74b8de2fb55be
Reviewed-on: https://chromium-review.googlesource.com/530847
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45849}
[modify] https://crrev.com/f555a6922dd1b425ed845370cd01428b3ba46f93/src/deoptimizer.cc
[add] https://crrev.com/f555a6922dd1b425ed845370cd01428b3ba46f93/test/mjsunit/regress/regress-crbug-732169.js

Project Member

Comment 7 by sheriffbot@chromium.org, Jun 12 2017

Labels: M-61
Project Member

Comment 8 by sheriffbot@chromium.org, Jun 12 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by sheriffbot@chromium.org, Jun 12 2017

Labels: Pri-1
Project Member

Comment 10 by ClusterFuzz, Jun 12 2017

Detailed report: https://clusterfuzz.com/testcase?key=6387498266918912

Fuzzer: inferno_js_fuzzer_c
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Fatal error
Crash Address: 
Crash State:
  
  v8::platform::PrintStackTrace
  v8::internal::TranslatedState::MaterializeCapturedObjectAt
  v8::internal::TranslatedState::MaterializeAt
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6387498266918912


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 11 by ClusterFuzz, Jun 12 2017

Labels: OS-Windows
Project Member

Comment 12 by bugdroid1@chromium.org, Jun 12 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b17dee636f5137713bec30972d5653dcec6873b8

commit b17dee636f5137713bec30972d5653dcec6873b8
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Mon Jun 12 16:27:10 2017

[deoptimizer] Handle Generator object in-object properties.

This adds missing support for in-object properties within objects having
the {JSGeneratorObject} type to materialization during deoptimization.
For corner-cases where the implicit generator object is statically known
not to escape, object layout might still be arbitrarily complex.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-732169
BUG= chromium:732169 , v8:6481 

Change-Id: I32f373913d60af64981dc4ed66873cc8a1dbe872
Reviewed-on: https://chromium-review.googlesource.com/530230
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45870}
[modify] https://crrev.com/b17dee636f5137713bec30972d5653dcec6873b8/src/deoptimizer.cc
[modify] https://crrev.com/b17dee636f5137713bec30972d5653dcec6873b8/test/mjsunit/regress/regress-crbug-732169.js

Comment 13 by jarin@chromium.org, Jun 13 2017

Cc: lushnikov@chromium.org
Project Member

Comment 14 by ClusterFuzz, Jun 13 2017

ClusterFuzz has detected this issue as fixed in range 45848:45849.

Detailed report: https://clusterfuzz.com/testcase?key=5858264175869952

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: Ill
Crash Address: 0x7ff6a46242e8
Crash State:
  v8::internal::TranslatedState::MaterializeCapturedObjectAt
  v8::internal::TranslatedState::MaterializeAt
  MaterializeObjectAt
  
Sanitizer: address (ASAN)

Regressed: V8: 45514:45515
Fixed: V8: 45848:45849

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5858264175869952


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Status: Fixed (was: Started)
Project Member

Comment 16 by sheriffbot@chromium.org, Jun 13 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -ReleaseBlock-Beta
Project Member

Comment 18 by sheriffbot@chromium.org, Sep 19 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment