New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 744584 link

Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Jul 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows , All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Fatal error in ../../v8/src/compiler/representation-change.cc, line 1055

Reported by mgi...@gmail.com, Jul 17 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0

Steps to reproduce the problem:
Unfortunately I could not isolate the problem for an easy repro.
I have a JS app of around 3mb minified and the browser crashes at what seem to be random times (I suppose whenever it decides to optimize the problematic function)

What is the expected behavior?
not crash

What went wrong?
Fatal error in ../../v8/src/compiler/representation-change.cc, line 1055
RepresentationChangerError: node #812:Phi of kRepFloat64 (Number) cannot be changed to kRepWord32

STACK_TEXT:  
0x0
v8_libbase!v8::base::OS::Abort+0x11
v8_libbase!V8_Fatal+0x91
v8!v8::internal::compiler::RepresentationChanger::TypeError+0x1d9
v8!v8::internal::compiler::RepresentationChanger::GetWord32RepresentationFor+0x18d
v8!v8::internal::compiler::RepresentationChanger::GetRepresentationFor+0x28d
v8!v8::internal::compiler::RepresentationSelector::ConvertInput+0x19d
v8!v8::internal::compiler::RepresentationSelector::VisitPhi+0x12c
v8!v8::internal::compiler::RepresentationSelector::VisitNode+0x31f
v8!v8::internal::compiler::RepresentationSelector::Run+0x4ea
v8!v8::internal::compiler::SimplifiedLowering::LowerAllNodes+0x4c
v8!v8::internal::compiler::PipelineImpl::Run<v8::internal::compiler::SimplifiedLoweringPhase>+0x70
v8!v8::internal::compiler::PipelineImpl::OptimizeGraph+0x29f
v8!v8::internal::compiler::PipelineCompilationJob::ExecuteJobImpl+0x20
v8!v8::internal::CompilationJob::ExecuteJob+0x1a3
v8!v8::internal::OptimizingCompileDispatcher::CompileTask::Run+0x110
gin!base::internal::FunctorTraits<void (__cdecl v8::Task::*)(void) __ptr64,void>::Invoke<v8::Task * __ptr64>+0x1a
gin!base::internal::InvokeHelper<0,void>::MakeItSo<void (__cdecl v8::Task::*const & __ptr64)(void) __ptr64,v8::Task * __ptr64>+0x37
gin!base::internal::Invoker<base::internal::BindState<void (__cdecl v8::Task::*)(void) __ptr64,base::internal::OwnedWrapper<v8::Task> >,void __cdecl(void)>::RunImpl<void (__cdecl v8::Task::*const & __ptr64)(void) __ptr64,std::tuple<base::internal::OwnedWrapper<v8::Task> > const & __ptr64,0>+0x49
gin!base::internal::Invoker<base::internal::BindState<void (__cdecl v8::Task::*)(void) __ptr64,base::internal::OwnedWrapper<v8::Task> >,void __cdecl(void)>::Run+0x33
base!base::Callback<void __cdecl(void),0,0>::Run+0x40
base!base::debug::TaskAnnotator::RunTask+0x2fd
base!base::internal::TaskTracker::PerformRunTask+0x74b
base!base::internal::TaskTracker::RunNextTask+0x1ea
base!base::internal::SchedulerWorker::Thread::ThreadMain+0x4b9
base!base::`anonymous namespace'::ThreadFunc+0x131
KERNEL32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

Did this work before? N/A 

Chrome version: 61.0.3158.0  Channel: canary
OS Version: 10.0
Flash Version: Shockwave Flash 25.0 r0
 

Comment 1 by mgi...@gmail.com, Jul 17 2017

minidump file create with windbg x64
Components: -Blink Blink>JavaScript

Comment 3 by ajha@chromium.org, Jul 19 2017

Cc: jarin@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>Compiler
Labels: TE-NeedsTriageHelp
Cc'ing 	jarin@ for help in further investigation and if this is related to Issue 741225.

Comment 4 by jarin@chromium.org, Jul 19 2017

Without some kind of repro, it will be hard to make progress here. Are you sure you can share some repro instructions?


Comment 5 Deleted

Comment 6 by jarin@chromium.org, Jul 19 2017

Cc: tebbi@chromium.org
Labels: Security_Severity-High Restrict-View-SecurityTeam OS-All
Status: Started (was: Unconfirmed)

Comment 7 by jarin@chromium.org, Jul 19 2017

Labels: -Pri-2 Pri-1
Thank you for the repro! I could reproduce the issue locally. We should have a fix ready soon.

Comment 8 by jarin@chromium.org, Jul 20 2017

Owner: tebbi@chromium.org
Labels: -Type-Bug M-60 NodeJS-Backport-Review Type-Bug-Security
Labels: -M-60 M-59
Cc: hablich@chromium.org
Project Member

Comment 12 by sheriffbot@chromium.org, Jul 20 2017

Labels: Security_Impact-Stable
Project Member

Comment 13 by bugdroid1@chromium.org, Jul 20 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a224eff455632df89377748421a23be47a5278e8

commit a224eff455632df89377748421a23be47a5278e8
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Thu Jul 20 13:04:02 2017

[turbofan] escape analysis: fix typing of new phi nodes

Bug:  chromium:744584 
Change-Id: Ie25c2ba63e4764f359de38e53c2f3f3222877e0e
Reviewed-on: https://chromium-review.googlesource.com/577690
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46792}
[modify] https://crrev.com/a224eff455632df89377748421a23be47a5278e8/src/compiler/escape-analysis.cc
[add] https://crrev.com/a224eff455632df89377748421a23be47a5278e8/test/mjsunit/compiler/escape-analysis-phi-type-2.js
[add] https://crrev.com/a224eff455632df89377748421a23be47a5278e8/test/mjsunit/compiler/escape-analysis-phi-type.js

Comment 14 by tebbi@chromium.org, Jul 21 2017

Labels: Merge-Request-60
This is a Turbofan compiler bug that allows arbitrary out-of-bounds memory access. The patch is safe to back-merge.
Project Member

Comment 15 by sheriffbot@chromium.org, Jul 21 2017

Labels: -Merge-Request-60 Hotlist-Merge-Review Merge-Review-60
This bug requires manual review: We are only 3 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 16 by tebbi@chromium.org, Jul 21 2017

Status: Fixed (was: Started)
Project Member

Comment 17 by sheriffbot@chromium.org, Jul 21 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -Merge-Review-60 Merge-Approved-60 Merge-Approved-61
Let's wait (2 days) for some proper Canary coverage. The branch cut obfuscates the stability data a little bit.

If everything is fine, we should merge it back to 6.0 and 6.1

Comment 19 by mgi...@gmail.com, Jul 24 2017

For my part, I can confirm the bug as fixed. Thank you.
Labels: reward-topanel
Please merge your change to M61 branch #3163 before 4: 00 PM PT, Wednesday (07/26) in order to make it to last M61 dev release. Thank you.
Project Member

Comment 22 by bugdroid1@chromium.org, Jul 26 2017

Labels: merge-merged-6.1
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/81ccc6e1f31b6f7bcef19eeff321c56d947ba935

commit 81ccc6e1f31b6f7bcef19eeff321c56d947ba935
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Wed Jul 26 12:40:37 2017

Merged: [turbofan] escape analysis: fix typing of new phi nodes

Revision: a224eff455632df89377748421a23be47a5278e8

BUG= chromium:744584 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=jarin@chromium.org

Change-Id: I3f3ec437c780a615b98767345b5eb88a05c2b0e6
Reviewed-on: https://chromium-review.googlesource.com/586329
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.1@{#20}
Cr-Branched-From: 1bf2e10ddb194d4c2871a87a4732613419de892d-refs/heads/6.1.534@{#1}
Cr-Branched-From: e825c4318eb2065ffdf9044aa6a5278635c36427-refs/heads/master@{#46746}
[modify] https://crrev.com/81ccc6e1f31b6f7bcef19eeff321c56d947ba935/src/compiler/escape-analysis.cc
[add] https://crrev.com/81ccc6e1f31b6f7bcef19eeff321c56d947ba935/test/mjsunit/compiler/escape-analysis-phi-type-2.js
[add] https://crrev.com/81ccc6e1f31b6f7bcef19eeff321c56d947ba935/test/mjsunit/compiler/escape-analysis-phi-type.js

Pls merge you change to M61 branch 3163 by 5:00 PM today, Wednesday if possible so we can take it in for next week M61 last dev release. Thank you.
Project Member

Comment 24 by bugdroid1@chromium.org, Jul 27 2017

Labels: merge-merged-6.0
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2f2f9be7727eac23248fd91a776959d51de6b7c6

commit 2f2f9be7727eac23248fd91a776959d51de6b7c6
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Thu Jul 27 08:04:29 2017

Merged: [turbofan] escape analysis: fix typing of new phi nodes

Revision: a224eff455632df89377748421a23be47a5278e8

BUG= chromium:744584 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=jarin@chromium.org

Change-Id: I5007d4062878fa2586c5d9e85a264c19be056afb
Reviewed-on: https://chromium-review.googlesource.com/586530
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.0@{#95}
Cr-Branched-From: 97dbf624a5eeffb3a8df36d24cdb2a883137385f-refs/heads/6.0.286@{#1}
Cr-Branched-From: 12e6f1cb5cd9616da7b9d4a7655c088778a6d415-refs/heads/master@{#45439}
[modify] https://crrev.com/2f2f9be7727eac23248fd91a776959d51de6b7c6/src/compiler/escape-analysis.cc
[add] https://crrev.com/2f2f9be7727eac23248fd91a776959d51de6b7c6/test/mjsunit/compiler/escape-analysis-phi-type-2.js
[add] https://crrev.com/2f2f9be7727eac23248fd91a776959d51de6b7c6/test/mjsunit/compiler/escape-analysis-phi-type.js

Project Member

Comment 25 by sheriffbot@chromium.org, Jul 27 2017

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Approved-61
Per comment #22, this is already merged to M61. So removing "Merge-Approved-61" label. Thank you.
Project Member

Comment 27 by sheriffbot@chromium.org, Jul 31 2017

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 28 by tebbi@chromium.org, Jul 31 2017

Labels: -Merge-Approved-60
Already merged to M60.
Labels: -reward-topanel reward-unpaid reward-3000
Cc: awhalley@chromium.org
Congratulations mgiova@! The VRP panel decided to award $3,000 for this report!  A member of our finance team will be in touch shortly to arrange payment. Cheers!

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M61
Labels: CVE-2017-5115
Labels: -NodeJS-Backport-Review NodeJS-Backport-Done
Project Member

Comment 35 by sheriffbot@chromium.org, Oct 27 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-submitted

Sign in to add a comment