This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

CF points to 87b5b53f6f3321ad33b15e686590da7b57df2ff9.

Detailed report: https://clusterfuzz.com/testcase?key=5068815053619200

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !isolate->has_scheduled_exception() in builtins-console.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 44879:44880

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5068815053619200


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://clusterfuzz.com/testcase?key=5068815053619200

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !isolate->has_scheduled_exception() in builtins-console.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 44879:44880

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5068815053619200


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

yangguo: Uh oh! This issue still open and hasn't been updated in the last 16 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I don't think this is a serious issue or a blocker. It's most likely just in the console.log implementation in d8, which is not shipped as part of Chrome.

I'll have a look soon (just returned from 10 weeks of leave today).

This issue is inspector issue. V8ValueStringBuilder [1] can produce a recursion which triggers StackOverflow and check is fired.
I'll take a look in next days.

[1] https://cs.chromium.org/chromium/src/v8/src/inspector/v8-console-message.cc?rcl=74cef60193dd753be696e7d839ed00fa07672a35&l=66

Oops, it was not the same as another issue which I fixed in separate issue.
I minified repro:

w = new Worker('postMessage()');
val = [undefined];
Object.defineProperty(val, '0', { get: () => console.log() }); 
w.postMessage(val, [val]);

.. and figure out that exception is not related to console and  isolate->has_scheduled_exception() is true at the first line of ConsoleCall. I think the issue is somewhere in Shell::WorkerPostMessage.

Can confirm. The issue is that w.postMessage leaves an exception on the isolate.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/adc4704ce9b94ce076e36a6367dfb3717ca04e9c

commit adc4704ce9b94ce076e36a6367dfb3717ca04e9c
Author: Ben Smith <binji@chromium.org>
Date: Thu Aug 03 17:56:03 2017

[d8] Fix PrepareTransfer call w/ non-ArrayBuffer

Make sure to fail PrepareTransfer when the transferables array contains
a non-ArrayBuffer, otherwise the function leaks a scheduled_exception.

Bug:  chromium:736565 
Change-Id: I64c2e09eb92720519c7bda2dca41749ff5ac9c8d
Reviewed-on: https://chromium-review.googlesource.com/599357
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47141}
[modify] https://crrev.com/adc4704ce9b94ce076e36a6367dfb3717ca04e9c/src/d8.cc
[modify] https://crrev.com/adc4704ce9b94ce076e36a6367dfb3717ca04e9c/test/mjsunit/d8-worker.js

ClusterFuzz has detected this issue as fixed in range 47140:47141.

Detailed report: https://clusterfuzz.com/testcase?key=5068815053619200

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !isolate->has_scheduled_exception() in builtins-console.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 44879:44880
Fixed: V8: 47140:47141

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5068815053619200


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 47140:47141.

Detailed report: https://clusterfuzz.com/testcase?key=6190043378221056

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !isolate->has_scheduled_exception() in builtins-console.cc
  v8::internal::ConsoleCall
  Builtin_Impl_ConsoleLog
  
Sanitizer: address (ASAN)

Regressed: V8: 44879:44880
Fixed: V8: 47140:47141

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6190043378221056


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4802371120267264 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 752797  has been merged into this issue.

This bug requires manual review: M61 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+ awhalley@ for M61 merge review

govind@ - Good for 61

Approving merge to M61 branch 3163 based on comment #23. Please merge ASAP. Thank you.

Please merge you change to M61 branch 3163 by 4:00 PM PT tomorrow, Thursday (08/17) so we can take it in for next week Beta release. Thank you.

I noticed that the fix in a d8-only thing, so we don't have to merge it back.
I'm sorry for the noise.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot