Issue metadata
Sign in to add a comment
|
DCHECK failure in InOldSpace(object) || InNewSpace(object) in heap.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6242546350292992 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: InOldSpace(object) || InNewSpace(object) in heap.cc v8::internal::Heap::NotifyObjectLayoutChange v8::internal::MakeStringThin Sanitizer: address (ASAN) Regressed: V8: 47131:47132 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6242546350292992 Issue manually filed by: mstarzinger See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 4 2017
Detailed report: https://clusterfuzz.com/testcase?key=4685406762434560 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: InOldSpace(object) || InNewSpace(object) in heap.cc Sanitizer: address (ASAN) Regressed: V8: 47067:47068 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4685406762434560 See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 4 2017
Thanks, Michael. Looking.
,
Aug 4 2017
Apparently a string in large object space can be turned into a thin string. Jakob, is this expected?
,
Aug 4 2017
Fix in flight: https://chromium-review.googlesource.com/c/601994
,
Aug 4 2017
,
Aug 4 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 4 2017
,
Aug 4 2017
The assert uncovered an existing bug. I don't think this is a serious security regression.
,
Aug 4 2017
re #4: yes, any non-internalized string can turn into a ThinString, including large strings. Thanks for fixing this!
,
Aug 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b35a0789bc83fff645de346d4b3786daed0cedac commit b35a0789bc83fff645de346d4b3786daed0cedac Author: Ulan Degenbaev <ulan@chromium.org> Date: Tue Aug 08 12:35:11 2017 [heap, runtime] Fix conversion of large strings to thin strings. This patch removes creation of fillers in the middle of a large page and fixes assert in Heap::NotifyObjectLayoutChange. The fillers in large pages are useless since we do not sweep large object space. Bug: chromium:752426 Change-Id: I01c230223f28d6d54b7362ee70e9d83de50678fd Reviewed-on: https://chromium-review.googlesource.com/601994 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#47221} [modify] https://crrev.com/b35a0789bc83fff645de346d4b3786daed0cedac/src/heap/heap.cc [modify] https://crrev.com/b35a0789bc83fff645de346d4b3786daed0cedac/src/heap/heap.h [modify] https://crrev.com/b35a0789bc83fff645de346d4b3786daed0cedac/src/objects.cc [modify] https://crrev.com/b35a0789bc83fff645de346d4b3786daed0cedac/test/cctest/test-strings.cc
,
Aug 8 2017
,
Aug 8 2017
,
Aug 9 2017
ClusterFuzz has detected this issue as fixed in range 47220:47221. Detailed report: https://clusterfuzz.com/testcase?key=6242546350292992 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: InOldSpace(object) || InNewSpace(object) in heap.cc v8::internal::Heap::NotifyObjectLayoutChange v8::internal::MakeStringThin Sanitizer: address (ASAN) Regressed: V8: 47131:47132 Fixed: V8: 47220:47221 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6242546350292992 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 9 2017
ClusterFuzz has detected this issue as fixed in range 47220:47221. Detailed report: https://clusterfuzz.com/testcase?key=4685406762434560 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: InOldSpace(object) || InNewSpace(object) in heap.cc Sanitizer: address (ASAN) Regressed: V8: 47067:47068 Fixed: V8: 47220:47221 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4685406762434560 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 9 2017
ClusterFuzz testcase 4685406762434560 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/dfb4f084890fba0e54fde88de6aed0b97b6e1daa commit dfb4f084890fba0e54fde88de6aed0b97b6e1daa Author: Michael Hablich <hablich@chromium.org> Date: Thu Aug 10 00:28:32 2017 Revert "[heap, runtime] Fix conversion of large strings to thin strings." This reverts commit b35a0789bc83fff645de346d4b3786daed0cedac. Reason for revert: Roll blocker for https://chromium-review.googlesource.com/c/607193 Original change's description: > [heap, runtime] Fix conversion of large strings to thin strings. > > This patch removes creation of fillers in the middle of a large page and > fixes assert in Heap::NotifyObjectLayoutChange. > > The fillers in large pages are useless since we do not sweep large > object space. > > Bug: chromium:752426 > Change-Id: I01c230223f28d6d54b7362ee70e9d83de50678fd > Reviewed-on: https://chromium-review.googlesource.com/601994 > Commit-Queue: Ulan Degenbaev <ulan@chromium.org> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org> > Cr-Commit-Position: refs/heads/master@{#47221} TBR=ulan@chromium.org,jkummerow@chromium.org,mlippautz@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: chromium:752426 Change-Id: I58a632af37fa018d82693099a7a395ca5db5af0f Reviewed-on: https://chromium-review.googlesource.com/609404 Reviewed-by: Michael Hablich <hablich@chromium.org> Commit-Queue: Michael Hablich <hablich@chromium.org> Cr-Commit-Position: refs/heads/master@{#47262} [modify] https://crrev.com/dfb4f084890fba0e54fde88de6aed0b97b6e1daa/src/heap/heap.cc [modify] https://crrev.com/dfb4f084890fba0e54fde88de6aed0b97b6e1daa/src/heap/heap.h [modify] https://crrev.com/dfb4f084890fba0e54fde88de6aed0b97b6e1daa/src/objects.cc [modify] https://crrev.com/dfb4f084890fba0e54fde88de6aed0b97b6e1daa/test/cctest/test-strings.cc
,
Aug 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/a17ed358b1394fece528b12a67bddb29fb80a3f0 commit a17ed358b1394fece528b12a67bddb29fb80a3f0 Author: Ulan Degenbaev <ulan@chromium.org> Date: Thu Aug 10 17:34:49 2017 [heap] Fix assert in Heap::NotifyObjectLayoutChange This partially relands b35a078. Bug: chromium:752426 Change-Id: Ia6f9853115278109189291bca92e94974cfe35b0 Reviewed-on: https://chromium-review.googlesource.com/610580 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#47289} [modify] https://crrev.com/a17ed358b1394fece528b12a67bddb29fb80a3f0/src/heap/heap.cc
,
Nov 14 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mstarzinger@chromium.org
, Aug 4 2017Components: -Blink>JavaScript Blink>JavaScript>GC
Owner: u...@chromium.org
Status: Assigned (was: Untriaged)