Issue metadata
Sign in to add a comment
|
DCHECK failure in AllowHeapAllocation::IsAllowed() in heap-inl.h |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5144730831945728 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: AllowHeapAllocation::IsAllowed() in heap-inl.h v8::internal::Heap::AllocateRaw v8::internal::Heap::Allocate Sanitizer: address (ASAN) Regressed: V8: 47213:47214 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5144730831945728 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 14 2017
,
Aug 14 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 14 2017
,
Aug 14 2017
Assigning to V8 CF Sheriff per rotation at go/v8.
,
Aug 16 2017
It seems the problem is that v8::internal::FindCaller in src/accessors.cc:981 has a DisallowHeapAllocation scope, but can trigger OptimizedFrame::Summarize, which started materializing objects since https://chromium-review.googlesource.com/c/595745.
,
Aug 16 2017
Minimized repro:
function foo(f){
f.caller;
}
function bar(f) {
new foo(f);
}
bar(function() {});
%OptimizeFunctionOnNextCall(bar);
bar(function() {});
,
Aug 22 2017
Thanks! Taking a look now ...
,
Aug 22 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6dd1251e4eaffafe63260312fcf8b57798f08399 commit 6dd1251e4eaffafe63260312fcf8b57798f08399 Author: Michael Starzinger <mstarzinger@chromium.org> Date: Tue Aug 22 15:00:03 2017 Handlify FrameFunctionIterator to allow for GCs. R=tebbi@chromium.org TEST=mjsunit/regress/regress-crbug-755044 BUG= chromium:755044 Change-Id: I909eeeccaf4e4e9757a2f952c00f557ee6c495ee Reviewed-on: https://chromium-review.googlesource.com/625878 Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#47510} [modify] https://crrev.com/6dd1251e4eaffafe63260312fcf8b57798f08399/src/accessors.cc [add] https://crrev.com/6dd1251e4eaffafe63260312fcf8b57798f08399/test/mjsunit/regress/regress-crbug-755044.js
,
Aug 22 2017
Fixed. This issue might actually cause a stale pointer to be dereferenced in rare cases and hence cannot be considered completely benign in release builds of V8. But it will be very hard to control the address of this out-of-bounds read. Still leaving security labels in place. Only affects M62 branch, no merge required.
,
Aug 23 2017
ClusterFuzz has detected this issue as fixed in range 47509:47510. Detailed report: https://clusterfuzz.com/testcase?key=5144730831945728 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: AllowHeapAllocation::IsAllowed() in heap-inl.h v8::internal::Heap::AllocateRaw v8::internal::Heap::Allocate Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47213:47214 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47509:47510 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5144730831945728 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 23 2017
ClusterFuzz testcase 5144730831945728 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 23 2017
,
Oct 5 2017
,
Nov 29 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Aug 14 2017