New issue
Advanced search Search tips

Issue 761845 link

Starred by 1 user
Status: Duplicate
Merged: issue 782982
Owner: ----
Closed: Jan 2018
Cc:
hablich@chromium.org
neis@chromium.org
jorgelo@chromium.org
adamk@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

OOMCrash at Web Components site (in v8)

Reported by vlisi...@gmail.com, Sep 4 2017 
VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: Version 60.0.3112.113 (Official Build) (64-bit)
(Also latest Chromium on both Fedora and Suse)
Operating System: Fedora Linux 26
Intel I7 2670QM, 20GB of memory, NVidia driver 375.66

REPRODUCTION CASE

https://xel-toolkit.org/elements/x-button

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: 

(gdb) bt
#0  0x000000178eca51bf in  ()
#1  0x000000178c0ff3fb in  ()
#2  0x000033a2777f8020 in  ()
#3  0x0000001790ea274e in  ()
#4  0x00007fd3b30c94c0 in  ()
#5  0x000000178c0ff352 in  ()
#6  0x0000000000000000 in  ()

Console:
#
# Fatal process OOM in heap setup
#

Dmesg:

[35004.912702] traps: DedicatedWorker[14939] trap invalid opcode ip:178eca51bf sp:7fd3b28c8f08 error:0 in chrome[178aa22000+6ce2000]

(For Chromium: [35408.322269] traps: DedicatedWorker[15349] trap invalid opcode ip:7fb3a0952619 sp:7fb36c199138 error:0 in libv8_libbase.so[7fb3a093f000+1a000] , so problem in V8, IMHO).

Comment 1 by dominickn@chromium.org, Sep 4 2017

Components: Blink>JavaScript
Thanks for the report. :)

Stacktrace from tip of tree Linux:

Received signal 4 ILL_ILLOPN 7effc7880852
#0 0x7effe57a8f9d base::debug::StackTrace::StackTrace()
#1 0x7effe57a736c base::debug::StackTrace::StackTrace()
#2 0x7effe57a8955 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7effe5e07330 <unknown>
#4 0x7effc7880852 v8::base::OS::Abort()
#5 0x7effd61f8dd5 v8::internal::V8::FatalProcessOutOfMemory()
#6 0x7effd671a941 v8::internal::Isolate::Init()
#7 0x7effd69c15bb v8::internal::Snapshot::Initialize()
#8 0x7effd624acdd v8::IsolateNewImpl()
#9 0x7effd6d55fdb gin::IsolateHolder::IsolateHolder()
#10 0x7effd1e1deba blink::V8PerIsolateData::V8PerIsolateData()
#11 0x7effd1e1eb11 blink::V8PerIsolateData::Initialize()
#12 0x7effd4c125a7 
#
# Fatal process OOM in heap setup
#

Looks like V8 is OOMing.... it:

 - Crashes on tip of tree on Linux (63.0.3205.0)
 - Crashes on stable on Linux (60.0.3112.113)
 - Doesn't crash on Mac Canary (63.0.3205.0)?

Over to the V8 sheriffs for triage. I don't think an OOM is a security issue, but I'll wait for someone more knowledgeable in V8 to take a look before I assign security labels.

Comment 2 by dominickn@chromium.org, Sep 4 2017

Status: Untriaged (was: Unconfirmed)

Comment 3 by hablich@chromium.org, Sep 5 2017

Cc: neis@chromium.org
Labels: Needs-Bisect
I got a different signature. See crash report 773bdb5e84dd5c41. Did this work in the past? Please bisect.

Comment 4 by hablich@chromium.org, Sep 5 2017

Cc: hablich@chromium.org
Project Member

Comment 5 by ClusterFuzz, Sep 5 2017 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4920944291479552.

Comment 6 by nparker@chromium.org, Sep 5 2017

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Needs-Bisect Type-Bug
Owner: hablich@chromium.org
Results from bisect: "You are probably looking for a change made after 420851 (known good), but no later than 420852 (first known bad).
CHANGELOG URL:
  https://chromium.googlesource.com/chromium/src/+log/cbf5bacde72383a2b88fd476bfd1bc5460a20ae7..8219973c7ee378913f51d3028bb878860b3a59af
i.e. "Update V8 to version 5.5.281." -- 12 months ago.

I agree with dominickn that this is just an OOM, and not an security issue. Marking as such.

Comment 7 by hablich@chromium.org, Sep 6 2017

Components: -Blink>JavaScript Blink>JavaScript>Language
Labels: Pri-2
Owner: ----
Status: Available (was: Untriaged)
Summary: OOMCrash at Web Components site (in v8) (was: Security: Crash at Web Components site (in v8))
I didn't had a look at the source code of the page. Given the bisect range it looks like it is arrow function related because FullCodeGen is gone already?

Comment 8 by adamk@chromium.org, Sep 6 2017

Components: -Blink>JavaScript>Language Blink>Workers
This is crashing while setting up a web worker, I don't think it's related to V8 at all (certainly not to arrow functions). From instrumenting Isolate::New, it looks like the page creates ~66 workers. Poking around at the source, it appears this may be due to the prismjs library being used, which appears to start up a worker for each call to highlightElement():

https://github.com/PrismJS/prism/blob/6530709e85533b7a5aa5da93f894512aefde3d4f/components/prism-core.js#L218

I suspect this is WontFix, but relabeling in case folks monitoring this label think we should support this many workers in a page.

Comment 9 by adamk@chromium.org, Sep 6 2017

Cc: adamk@chromium.org

Comment 10 by thomasanderson@chromium.org, Jan 18 2018

Cc: jorgelo@chromium.org
+jorgelo possibly another dupe of  bug 782982 ?

Comment 11 by thomasanderson@chromium.org, Jan 18 2018

Mergedinto: 782982
Status: Duplicate (was: Available)

Sign in to add a comment