This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

titzer@chromium.org, your CL is in the regression range. Could you help triage this issue? Please feel free to re-assign. 

Thanks!

As discussed in person, it appears that when the deoptimizer materializes a JS_ARGUMENTS object, the first object it creates does not verify correctly:

diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc
index 5ff442588c..78a284699d 100644
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -3658,10 +3658,18 @@ Handle<Object> TranslatedState::MaterializeCapturedObjectAt(
       Handle<JSObject> object =
           isolate_->factory()->NewJSObjectFromMap(map, NOT_TENURED);
       slot->value_ = object;
+      JSObject::cast(*object)->JSObjectVerify();
       Handle<Object> properties = materializer.FieldAt(value_index);
+      JSObject::cast(*object)->JSObjectVerify();
+      JSObject::cast(*properties)->JSObjectVerify();
       Handle<Object> elements = materializer.FieldAt(value_index);
+      JSObject::cast(*object)->JSObjectVerify();
+      JSObject::cast(*properties)->JSObjectVerify();
       object->set_properties(FixedArray::cast(*properties));
       object->set_elements(FixedArrayBase::cast(*elements));
+      JSObject::cast(*object)->JSObjectVerify();
+      JSObject::cast(*properties)->JSObjectVerify();
+      JSObject::cast(*elements)->JSObjectVerify();
       int in_object_properties = map->GetInObjectProperties();
       for (int i = 0; i < in_object_properties; ++i) {
         Handle<Object> value = materializer.FieldAt(value_index);

A friendly reminder that M61 branch is coming soon on 07/20! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix ASAP to trunk. This way we branch M61 from a high quality trunk. Thank you.

ClusterFuzz has detected this issue as fixed in range 46637:46638.

Detailed report: https://clusterfuzz.com/testcase?key=6211017381249024

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  actual_unused_property_fields > map()->unused_property_fields() in objects-debug
  v8::internal::JSObject::JSObjectVerify
  v8::internal::Object::ObjectVerify
  
Sanitizer: address (ASAN)

Regressed: V8: 46477:46478
Fixed: V8: 46637:46638

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6211017381249024


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6211017381249024 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 761944  has been merged into this issue.

 Issue 763028  has been merged into this issue.

We still get reports for this, which then get automatically closed. Seems to be flaky.

mstarzinger: Uh oh! This issue still open and hasn't been updated in the last 62 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue?

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue 765924  has been merged into this issue.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Detailed report: https://clusterfuzz.com/testcase?key=6640687079751680

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  actual_unused_property_fields > map()->unused_property_fields() in objects-debug
  v8::internal::JSObject::JSObjectVerify
  v8::internal::Object::ObjectVerify
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47213:47214

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6640687079751680

See https://github.com/google/clusterfuzz-tools for more information.

mstarzinger: Uh oh! This issue still open and hasn't been updated in the last 77 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Detailed report: https://clusterfuzz.com/testcase?key=6030371153248256

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  actual_unused_property_fields > map()->unused_property_fields() in objects-debug
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6030371153248256

See https://github.com/google/clusterfuzz-tools for more information.

ClusterFuzz has detected this issue as fixed in range 48202:48203.

Detailed report: https://clusterfuzz.com/testcase?key=6640687079751680

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  actual_unused_property_fields > map()->unused_property_fields() in objects-debug
  v8::internal::JSObject::JSObjectVerify
  v8::internal::Object::ObjectVerify
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47213:47214
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48202:48203

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6640687079751680

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

ishell@, mstarzinger@ -- friendly ping from the security sheriff. if you are not the right owner for this, please help find them. thanks.

I assume this would in principle apply to all V8 platforms?

I'd really like to get this bug nailed down; it's one of our oldest High-severity security bugs at the moment. I'm on a bit of a mission, I'm afraid. :)

I tried to reproduce this locally with ToT d8 and could not. Not sure why clusterfuzz has not marked this as fixed, since it has a fixed field pointing to a CL by Igor. Assigning to Igor to verify.

I think this bug is still there in some form, but it is highly dependent on GC timing. We are constructing an object graph, but while we are constructing it, the objects will not pass the verifier. This is not a security bug, it is just that the verifier is too strict.

I am working on a new deoptimizer materialization scheme that should address this problem: https://docs.google.com/document/d/1QNT6RoI3lym9J4kUXJm_sxgEg2hZm0bD5ZLuaMUpPN0/edit

I believe that all the known crashes are fixed. I assume that CF doesn't auto-close the bug, as it's been closing this before (and we still have 'ClusterFuzz-Verified' label here).

jarin@, regarding the doc you've mentioned and the issue with the verified being too strict, I think we should file a separate bug for that. How does it sound?

We still get this bug reported frequently, see here:
https://bugs.chromium.org/p/chromium/issues/list?can=1&q=actual_unused_property_fields%20%3E%20map()-%3Eunused_property_fields()%20in%20objects-debug&sort=-modified&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified

However, this seems to be tracked by  crbug.com/770106  now.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot