New issue
Advanced search Search tips

Issue 734409 link

Starred by 1 user

Issue metadata

Status: Verified
Owner: ----
Closed: Jul 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Direct-leak in uprv_malloc_59

Project Member Reported by ClusterFuzz, Jun 18 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6195500780093440

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: Indirect-leak
Crash Address: 
Crash State:
  uprv_malloc_59
  icu_59::UMemory::operator new
  icu_59::CollationSettings* icu_59::SharedObject::copyOnWrite<icu_59::CollationSe
  
Sanitizer: address (ASAN)

Regressed: V8: 44058:44059

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6195500780093440


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Owner: ishell@chromium.org
Status: Assigned (was: Untriaged)
Project Member

Comment 2 by ClusterFuzz, Jul 3 2017

Summary: Direct-leak in uprv_malloc_59 (was: Indirect-leak in uprv_malloc_59)
Detailed report: https://clusterfuzz.com/testcase?key=6633839865888768

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  uprv_malloc_59
  icu_59::UMemory::operator new
  v8::internal::CreateICUDateFormat
  
Sanitizer: address (ASAN)

Regressed: V8: 44058:44059

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6633839865888768


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Cc: ahaas@chromium.org
Owner: clemensh@chromium.org
CF points to b8f8860161649a8b6c5bc43a7e8926c2626985b5. PTAL.

Cc: clemensh@chromium.org machenb...@chromium.org
Owner: ----
Status: Available (was: Assigned)
The testcase minimizer did a really bad job here.
Reproducer:
  new Intl.Collator();

Does not reproduce with --invoke-weak-callbacks.

Looks similar to  crbug.com/729853 .

CC'ing machenbach, as I think that marking all such bugs as WontFix is not a scalable solution ;)
Hum, but the original stack trace that's referenced gets --invoke-weak-callbacks passed, not?
Components: -Blink>JavaScript Blink>JavaScript>WebAssembly
Oh, right.
I tried again, and it reproduces either without any args, or with "--invoke-weak-callbacks --wasm-interpret-all".

Weird, I will have to dig deeper...
Cc: u...@chromium.org
Don't really know how to approach this.
It seems like --wasm-interpret-all somehow prevents the ICU object from being collected.

--wasm-interpret-all creates a Managed object for the C++ interpreter, but also without this option, one Managed object is created for each wasm instance. So that should not really make a difference.

+Ulan
Did you see something like this before? Any idea what could be going on here?
Project Member

Comment 8 by ClusterFuzz, Jul 15 2017

ClusterFuzz has detected this issue as fixed in range 46678:46679.

Detailed report: https://clusterfuzz.com/testcase?key=6195500780093440

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: Indirect-leak
Crash Address: 
Crash State:
  uprv_malloc_59
  icu_59::UMemory::operator new
  icu_59::CollationSettings* icu_59::SharedObject::copyOnWrite<icu_59::CollationSe
  
Sanitizer: address (ASAN)

Regressed: V8: 44058:44059
Fixed: V8: 46678:46679

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6195500780093440


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Jul 15 2017

ClusterFuzz has detected this issue as fixed in range 46678:46679.

Detailed report: https://clusterfuzz.com/testcase?key=6633839865888768

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  uprv_malloc_59
  icu_59::UMemory::operator new
  v8::internal::CreateICUDateFormat
  
Sanitizer: address (ASAN)

Regressed: V8: 44058:44059
Fixed: V8: 46678:46679

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6633839865888768


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Jul 15 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase 6195500780093440 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment