Detailed report: https://clusterfuzz.com/testcase?key=4624130724069376 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::Function::Call Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=478152:478270 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4624130724069376 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
No V8 roll in the regression range, most likely not a V8 issue. Regression range still pretty big.
Using Code Search for the file, "execution.cc" assigning to the concern owner from Git Blame. Suspecting Commit# https://chromium.googlesource.com/v8/v8.git/+/0389df514d48c6394f606bf4e5b9b0b0cb134d1b @jochen -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
might be module related
Adding script component (as it is actually also used to track module scripts work)
Confirmed that this stops crashing if I revert https://chromium.googlesource.com/chromium/src/+/505cc74298100f7f54cfb8d95ce6cebfc92635c7, assigning to kouhei
This is a GC issue. - V8 objects attached to non-inline module scripts are kept alive via module map. See graph in https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/dom/ModuleScript.h?type=cs&q=TraceWrapperV8Reference+ModuleMap&l=134 - inline module scripts are not registered to module map We need to either - create a hidden entries for inline module scripts in the module map, or -- (We will need it for the supporting "js:context" anyway) - do TraceWrapper visiting from ScriptRunner refs too I'll work on fix tomorrow.
Thanks! By the way, what is "js:context"?
The latest consensus may not be "js:context". Some magic module specifier to the <script> element in the html doc: https://github.com/whatwg/html/issues/1013
I tried TraceWrapper-ing ScriptRunner refs but this seems too complicated. I'll create hidden entries on module map instead.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/78634df3327f642c0334519ff4f1bf290712146b commit 78634df3327f642c0334519ff4f1bf290712146b Author: Kouhei Ueno <kouhei@chromium.org> Date: Mon Jun 26 02:37:49 2017 TraceWrapper Modulator from LocalDOMWindow/WorkletGlobalScope Modulator, which is a V8PerContextData::Data, is referencing V8 objects such as v8::Module or instantiation errors. However, it is not TraceWrapper-ed from anywhere, as V8PerContextData is not TraceWrapperBase. This CL worksarounds the issue by referencing Modulator from LocalDOMWindow/WorkletGlobalScope which are TraceWrapperBase. Bug: 732270 Change-Id: I42ea384d85fed2f477ff1d39ce40e13b3230fb73 Reviewed-on: https://chromium-review.googlesource.com/544751 Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#482186} [modify] https://crrev.com/78634df3327f642c0334519ff4f1bf290712146b/third_party/WebKit/Source/core/dom/Modulator.cpp [modify] https://crrev.com/78634df3327f642c0334519ff4f1bf290712146b/third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp [modify] https://crrev.com/78634df3327f642c0334519ff4f1bf290712146b/third_party/WebKit/Source/core/frame/LocalDOMWindow.h [modify] https://crrev.com/78634df3327f642c0334519ff4f1bf290712146b/third_party/WebKit/Source/core/workers/WorkletGlobalScope.cpp [modify] https://crrev.com/78634df3327f642c0334519ff4f1bf290712146b/third_party/WebKit/Source/core/workers/WorkletGlobalScope.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/73bb506d40e7618c72d23bb949fc37928ea68f21 commit 73bb506d40e7618c72d23bb949fc37928ea68f21 Author: Kouhei Ueno <kouhei@chromium.org> Date: Mon Jun 26 08:04:24 2017 [ES6 modules] TraceWrapper from ScriptLoader and ModuleTreeLinkerRegistry Before this CL, TraceWrapperV8References on ModuleScript were relying on trace from Modulator->ModuleMap. However, this is insufficient, as inline module scripts would not have an entry on module map. This CL fixes the issue by introducing wrapper tracing to ScriptLoader and ModuleTreeLinkerRegistry->ModuleTreeLinker object graphs. Bug: 594639 , 725816, 732270 Change-Id: Id4672f3daee90ae007c1ce0c9ea3608b246b129e Reviewed-on: https://chromium-review.googlesource.com/547157 Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#482212} [add] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/LayoutTests/fast/dom/script-module-inline-error-gc-expected.txt [add] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/LayoutTests/fast/dom/script-module-inline-error-gc.html [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/bindings/core/v8/ScriptStreamerTest.cpp [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/dom/MockScriptElementBase.h [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/dom/Modulator.h [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/dom/ModulatorImpl.cpp [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/dom/ModulatorImpl.h [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/dom/ModuleMapTest.cpp [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/dom/ModulePendingScript.cpp [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/dom/ModulePendingScript.h [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/dom/ModuleScript.cpp [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/dom/ModuleScript.h [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/dom/PendingScript.h [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/dom/ScriptElementBase.cpp [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/dom/ScriptElementBase.h [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/dom/ScriptLoader.cpp [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/dom/ScriptLoader.h [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/html/HTMLScriptElement.cpp [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/html/HTMLScriptElement.h [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/html/parser/HTMLParserScriptRunner.h [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/loader/modulescript/ModuleTreeLinker.cpp [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/loader/modulescript/ModuleTreeLinker.h [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/loader/modulescript/ModuleTreeLinkerRegistry.cpp [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/loader/modulescript/ModuleTreeLinkerRegistry.h [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/loader/modulescript/ModuleTreeLinkerTest.cpp [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/svg/SVGScriptElement.cpp [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/svg/SVGScriptElement.h [modify] https://crrev.com/73bb506d40e7618c72d23bb949fc37928ea68f21/third_party/WebKit/Source/core/workers/WorkletModuleTreeClient.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b4ef7c0fece5fdbf8d51f4a6865056a1b03298c8 commit b4ef7c0fece5fdbf8d51f4a6865056a1b03298c8 Author: Kouhei Ueno <kouhei@chromium.org> Date: Mon Jun 26 10:57:30 2017 [ES6 modules] Document ModuleScript TraceWrapper paths Bug: 594639 , 725816, 732270 Change-Id: I7b83a77beb3806d53adb1e15baa184646a61a4f6 Reviewed-on: https://chromium-review.googlesource.com/547380 Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#482235} [modify] https://crrev.com/b4ef7c0fece5fdbf8d51f4a6865056a1b03298c8/third_party/WebKit/Source/core/dom/ModuleScript.h
ClusterFuzz has detected this issue as fixed in range 482161:482264. Detailed report: https://clusterfuzz.com/testcase?key=4624130724069376 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::Function::Call Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=478152:478270 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=482161:482264 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4624130724069376 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
ClusterFuzz testcase 4624130724069376 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/52965d2d823717cd3d4feb67d424138c767c510a commit 52965d2d823717cd3d4feb67d424138c767c510a Author: Kouhei Ueno <kouhei@chromium.org> Date: Tue Jul 04 06:53:30 2017 [ES6 modules] TraceWrapper ModuleScript via HTMLParserScriptRunner This CL adds another TraceWrapper path to ModuleScript to cover case where: - Module script is an inline script - <script> element for the inline script is removed at the time of execution Bug: 594639 , 725816, 732270 , 737086 Change-Id: I5e8d00df55ae992f272aaac1b8890c120a32f3be Reviewed-on: https://chromium-review.googlesource.com/558536 Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#484060} [modify] https://crrev.com/52965d2d823717cd3d4feb67d424138c767c510a/third_party/WebKit/Source/core/dom/Document.cpp [modify] https://crrev.com/52965d2d823717cd3d4feb67d424138c767c510a/third_party/WebKit/Source/core/dom/Document.h [modify] https://crrev.com/52965d2d823717cd3d4feb67d424138c767c510a/third_party/WebKit/Source/core/dom/DocumentParser.h [modify] https://crrev.com/52965d2d823717cd3d4feb67d424138c767c510a/third_party/WebKit/Source/core/dom/ModuleScript.h [modify] https://crrev.com/52965d2d823717cd3d4feb67d424138c767c510a/third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp [modify] https://crrev.com/52965d2d823717cd3d4feb67d424138c767c510a/third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.h [modify] https://crrev.com/52965d2d823717cd3d4feb67d424138c767c510a/third_party/WebKit/Source/core/html/parser/HTMLParserScriptRunner.cpp [modify] https://crrev.com/52965d2d823717cd3d4feb67d424138c767c510a/third_party/WebKit/Source/core/html/parser/HTMLParserScriptRunner.h
Comment 1 by msrchandra@chromium.org
, Jun 12 2017Labels: Test-Predator-Wrong-CLs M-61