New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 764219 link

Starred by 2 users
Status: Verified
Owner:
ishell@chromium.org
Closed: Oct 2017
Cc:
hablich@chromium.org
mslekova@google.com
verwa...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Ill in v8::internal::__RT_impl_Runtime_AbortJS

Project Member Reported by ClusterFuzz, Sep 12 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6513792304545792

Fuzzer: mbarbella_js_mutation
Job Type: mac_asan_d8_dbg
Platform Id: mac

Crash Type: Ill
Crash Address: 0x0001103ca238
Crash State:
  v8::internal::__RT_impl_Runtime_AbortJS
  v8::internal::Runtime_AbortJS
  v8::internal::Invoke
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_d8_dbg&range=47819:47820

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6513792304545792

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by jkummerow@chromium.org, Sep 12 2017

Cc: mslekova@google.com
Status: Assigned (was: Untriaged)
Further reduced repro:

Object.setPrototypeOf(this, new Proxy({}, {}));
function __f_12() {
  this.toString = function() {
    return "";
  };
};
__f_12.call({});
__f_12();
__f_12();

Fails with: 

abort: CSA_ASSERT failed: IsDictionaryMap(LoadMap(maybe_prototype)) [../../src/ic/accessor-assembler.cc:1552]

Assigning to Maya based on regression range.
Project Member

Comment 2 by ClusterFuzz, Sep 17 2017

Labels: OS-Linux

Comment 3 by ishell@chromium.org, Sep 20 2017

Owner: ishell@chromium.org

Comment 4 by mslekova@google.com, Sep 20 2017 

There's even more minimal repro case:

Object.setPrototypeOf(this, new Proxy({}, {}));
function foo() {
  this.prop = 42;
};
foo.call({});
foo();
foo();

Comment 5 by ishell@chromium.org, Sep 26 2017

Status: Started (was: Assigned)
Project Member

Comment 6 by ClusterFuzz, Oct 1 2017

Components: Blink>JavaScript>Runtime
Labels: Test-Predator-AutoComponents
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 7 by ClusterFuzz, Oct 5 2017

Labels: ClusterFuzz-Top-Crash ReleaseBlock-Beta M-63
Testcase 6513792304545792 is a top crash on ClusterFuzz for linux platform. Please prioritize fixing this crash.

Marking this crash as a Beta release blocker.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 8 by jmukthavaram@chromium.org, Oct 6 2017 

ishell@,

Friendly ping to get an update on this issue as it is marked as beta blocker issue.

Thanks..!

Comment 9 by ishell@chromium.org, Oct 10 2017 

I was not able to finish the fix before my semi-sudden vacation, now I'm back and I'll proceed finishing the CL.

Comment 10 by gov...@chromium.org, Oct 10 2017 

M63 is branching on this Thursday (10/12) and M63 beta promotion is coming very soon. Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.

Comment 11 by hablich@chromium.org, Oct 12 2017

Labels: -ReleaseBlock-Beta ReleaseBlock-Stable
Given that proxies are not widely used in user code (yet) and it is not very security relevant I think we can make a stable blocker out of this for M63.

Comment 13 by ishell@chromium.org, Oct 12 2017

Status: Fixed (was: Started)
Project Member

Comment 14 by blocker...@chrome-infra-auth.iam.gserviceaccount.com, Oct 12 2017

Labels: Merge-TBD
[Auto-generated comment by a script] We noticed that this issue is targeted for M-63; it appears the fix may have landed after branch point, meaning a merge might be required. Please confirm if a merge is required here - if so add Merge-Request-63 label, otherwise remove Merge-TBD label. Thanks.

Comment 15 by ishell@chromium.org, Oct 13 2017

Status: Assigned (was: Fixed)
The CF issue is still crashing.
Project Member

Comment 17 by ClusterFuzz, Oct 13 2017 

ClusterFuzz has detected this issue as fixed in range 48533:48534.

Detailed report: https://clusterfuzz.com/testcase?key=6513792304545792

Fuzzer: mbarbella_js_mutation
Job Type: mac_asan_d8_dbg
Platform Id: mac

Crash Type: Ill
Crash Address: 0x00010422e578
Crash State:
  v8::internal::__RT_impl_Runtime_AbortJS
  v8::internal::Runtime_AbortJS
  v8::internal::Invoke
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_d8_dbg&range=47819:47820
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_d8_dbg&range=48533:48534

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6513792304545792

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 18 by ishell@chromium.org, Oct 13 2017

Status: Verified (was: Assigned)
Fixed and verified.

Comment 19 by gov...@chromium.org, Oct 13 2017

Cc: hablich@chromium.org
+hablich@ to check whether we need merge to M63 or not.

Comment 20 by hablich@chromium.org, Oct 16 2017

Labels: Merge-Approved-63

Comment 21 by gov...@chromium.org, Oct 16 2017

Labels: -Merge-TBD
Please merge your change to M63 branch before 4:00 PM PT, Tuesday so we can take it in for this week M63 Dev release. Thank you.
Project Member

Comment 22 by bugdroid1@chromium.org, Oct 17 2017

Labels: merge-merged-6.3
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/dc7edb8be87f73cd64c2cdc10ccf15910255b6be

commit dc7edb8be87f73cd64c2cdc10ccf15910255b6be
Author: ishell@chromium.org <ishell@chromium.org>
Date: Tue Oct 17 09:59:07 2017

Merged: Squashed multiple commits.

Merged: [ic] Do access checks when storing via JSGlobalProxy.
Revision: 5ea95febb0fa5232f366784b555502f825a3f4dc

Merged: [ic] Fix storing to JSGlobalProxy having JSProxy in prototype chain.
Revision: b19a1baf49b1927ae47f4fcdef9f7ea1925ddbb4

BUG= chromium:764219 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=verwaest@chromium.org

Change-Id: Icc7dde6ba3faae1aee29c4f3ac1aaa27d94f3124
Reviewed-on: https://chromium-review.googlesource.com/721443
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.3@{#14}
Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
[modify] https://crrev.com/dc7edb8be87f73cd64c2cdc10ccf15910255b6be/src/ic/accessor-assembler.cc
[modify] https://crrev.com/dc7edb8be87f73cd64c2cdc10ccf15910255b6be/src/ic/accessor-assembler.h
[modify] https://crrev.com/dc7edb8be87f73cd64c2cdc10ccf15910255b6be/src/ic/handler-configuration-inl.h
[modify] https://crrev.com/dc7edb8be87f73cd64c2cdc10ccf15910255b6be/src/ic/handler-configuration.cc
[modify] https://crrev.com/dc7edb8be87f73cd64c2cdc10ccf15910255b6be/src/ic/handler-configuration.h
[modify] https://crrev.com/dc7edb8be87f73cd64c2cdc10ccf15910255b6be/src/ic/ic.cc
[modify] https://crrev.com/dc7edb8be87f73cd64c2cdc10ccf15910255b6be/src/ic/keyed-store-generic.cc
[add] https://crrev.com/dc7edb8be87f73cd64c2cdc10ccf15910255b6be/test/mjsunit/regress/regress-crbug-764219.js

Comment 23 by gov...@chromium.org, Oct 17 2017

Labels: -Merge-Approved-63
Per comment #22, this is already merged.

Comment 24 by mbarbe...@chromium.org, Nov 7 2017

Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components

Sign in to add a comment