Sanitizer issue. Regression range inconclusive. The repro even crashes occasionally (roughly one out of ten runs).

Found this bug yesterday in evening during manual testing. The same underlying cause is defining a new property on an exported WASM function.

 Issue 742693  has been merged into this issue.

 Issue 742657  has been merged into this issue.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

High severity based on other UAF repros.

 Issue 744289  has been merged into this issue.

 Issue 743992  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/57b9a3b142f221aa5454bb6a30361c2caf68a4c5

commit 57b9a3b142f221aa5454bb6a30361c2caf68a4c5
Author: titzer <titzer@chromium.org>
Date: Wed Jul 19 17:06:37 2017

[wasm] Fix user properties for exported wasm functions and add extensive tests.

R=ishell@chromium.org,clemensh@chromium.org
BUG= chromium:742659 

Review-Url: https://codereview.chromium.org/2977113002
Cr-Commit-Position: refs/heads/master@{#46772}

[modify] https://crrev.com/57b9a3b142f221aa5454bb6a30361c2caf68a4c5/src/contexts.h
[modify] https://crrev.com/57b9a3b142f221aa5454bb6a30361c2caf68a4c5/src/factory.cc
[modify] https://crrev.com/57b9a3b142f221aa5454bb6a30361c2caf68a4c5/src/heap-symbols.h
[modify] https://crrev.com/57b9a3b142f221aa5454bb6a30361c2caf68a4c5/src/wasm/wasm-js.cc
[modify] https://crrev.com/57b9a3b142f221aa5454bb6a30361c2caf68a4c5/src/wasm/wasm-objects.cc
[modify] https://crrev.com/57b9a3b142f221aa5454bb6a30361c2caf68a4c5/src/wasm/wasm-objects.h
[add] https://crrev.com/57b9a3b142f221aa5454bb6a30361c2caf68a4c5/test/mjsunit/wasm/user-properties.js

This bug requires manual review: We don't branch M61 until 2017-07-20.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid @(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue 746121  has been merged into this issue.

V8 has already branched, AFAIK. hablich@?

ClusterFuzz has detected this issue as fixed in range 488038:488079.

Detailed report: https://clusterfuzz.com/testcase?key=6554469105139712

Fuzzer: inferno_js_fuzzer
Job Type: linux_msan_d8
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  v8::internal::WasmSharedModuleData::is_asm_js
  v8::internal::Isolate::CaptureSimpleStackTrace
  v8::internal::Isolate::CaptureAndSetSimpleStackTrace
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=485247:485257
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=488038:488079

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6554469105139712


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

hablich@ &  awhalley@ for M61 merge review.

Pls merge your change to M61 branch by 5:00 PM PT, Monday (07/24) so we can it in for next week M61 dev release. Thank you.

Pls merge your change to M61 branch 3163 by 5:00 PM PT, Monday (07/24) so we can take it in for next week M61 dev release. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6b35947dccffbfc6a855ae678fb846019f996006

commit 6b35947dccffbfc6a855ae678fb846019f996006
Author: Ben L. Titzer <titzer@google.com>
Date: Mon Jul 24 14:37:52 2017

Merged: [wasm] Fix user properties for exported wasm functions and add extensive tests.

Revision: 57b9a3b142f221aa5454bb6a30361c2caf68a4c5

BUG= chromium:742659 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=hablich@chromium.org

Change-Id: Ib733dd9f6013d561c6317dac85fece6f93740149
Reviewed-on: https://chromium-review.googlesource.com/582012
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.1@{#8}
Cr-Branched-From: 1bf2e10ddb194d4c2871a87a4732613419de892d-refs/heads/6.1.534@{#1}
Cr-Branched-From: e825c4318eb2065ffdf9044aa6a5278635c36427-refs/heads/master@{#46746}
[modify] https://crrev.com/6b35947dccffbfc6a855ae678fb846019f996006/src/contexts.h
[modify] https://crrev.com/6b35947dccffbfc6a855ae678fb846019f996006/src/factory.cc
[modify] https://crrev.com/6b35947dccffbfc6a855ae678fb846019f996006/src/heap-symbols.h
[modify] https://crrev.com/6b35947dccffbfc6a855ae678fb846019f996006/src/wasm/wasm-js.cc
[modify] https://crrev.com/6b35947dccffbfc6a855ae678fb846019f996006/src/wasm/wasm-objects.cc
[modify] https://crrev.com/6b35947dccffbfc6a855ae678fb846019f996006/src/wasm/wasm-objects.h
[add] https://crrev.com/6b35947dccffbfc6a855ae678fb846019f996006/test/mjsunit/wasm/user-properties.js

Per comment #27, this already merged to M61. If nothing is pending for M61, please remove "Merge-Approved-61" label. Thank you.

Yes, it just landed. Removing label.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot