Issue metadata
Sign in to add a comment
|
Clusterfuzz UNKNOWN WRITE crash in D8 after enabling trap handlers |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5652010891476992 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN WRITE Crash Address: 0x7f8694dec013 Crash State: NULL Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48148:48149 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5652010891476992 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 5 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/71655f47a078d72573d4bf21226176e085d31fb6 ([wasm] Enable trap handlers by default in D8 on Linux x64). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Oct 5 2017
,
Oct 5 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 5 2017
,
Oct 5 2017
From the address this tried to write, and the Wasm instructions, my hunch is that we've incorrectly sign-extended a constant index. There are a couple of possible fixes. One is to make sure we handle the signs correctly. The other is to add guard regions in front of the Wasm memory too (negative guard regions). I made a stab at adding negative guard regions a while back (https://crrev.com/c/484747), but it was reverted because it caused flakes in Chromium. I think we'd have better luck landing it now because we've improved our guard region handling since then.
,
Oct 5 2017
The problem is that for linux, ASAN_OPTIONS has allow_user_segv_handler=0 However, it should be: allow_user_segv_handler=1
,
Oct 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/ee4fe8963c435ff2d520aa34aafa6748e833af3a commit ee4fe8963c435ff2d520aa34aafa6748e833af3a Author: Eric Holk <eholk@chromium.org> Date: Tue Oct 10 18:03:12 2017 [wasm] trap handlers: fall back on old signal handler This is primarily needed to test D8 under ASan. ASan installs a signal handler early in the process startup to show stack traces from crashes. We need to make sure that if V8 does not handle a signal then the existing handler gets a chance. This change only applies when using V8's default signal handler. When integrating with the embedder's signal handler the behavior is unchanged. Bug: chromium:771948 Change-Id: Ifd560acf9700ec5f714f009530258fa92c83cabe Reviewed-on: https://chromium-review.googlesource.com/705823 Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> Commit-Queue: Eric Holk <eholk@chromium.org> Cr-Commit-Position: refs/heads/master@{#48429} [modify] https://crrev.com/ee4fe8963c435ff2d520aa34aafa6748e833af3a/src/trap-handler/handler-inside.cc [modify] https://crrev.com/ee4fe8963c435ff2d520aa34aafa6748e833af3a/src/trap-handler/handler-outside.cc [modify] https://crrev.com/ee4fe8963c435ff2d520aa34aafa6748e833af3a/src/trap-handler/handler-shared.cc [modify] https://crrev.com/ee4fe8963c435ff2d520aa34aafa6748e833af3a/src/trap-handler/trap-handler-internal.h [modify] https://crrev.com/ee4fe8963c435ff2d520aa34aafa6748e833af3a/src/trap-handler/trap-handler.h [modify] https://crrev.com/ee4fe8963c435ff2d520aa34aafa6748e833af3a/test/unittests/BUILD.gn [modify] https://crrev.com/ee4fe8963c435ff2d520aa34aafa6748e833af3a/test/unittests/unittests.gyp [add] https://crrev.com/ee4fe8963c435ff2d520aa34aafa6748e833af3a/test/unittests/wasm/trap-handler-unittest.cc
,
Oct 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/0a97c51f35999ac4847f59f01f1f4168d3180c83 commit 0a97c51f35999ac4847f59f01f1f4168d3180c83 Author: Eric Holk <eholk@chromium.org> Date: Tue Oct 10 18:11:25 2017 Revert "[wasm] trap handlers: fall back on old signal handler" This reverts commit ee4fe8963c435ff2d520aa34aafa6748e833af3a. Reason for revert: <INSERT REASONING HERE> Original change's description: > [wasm] trap handlers: fall back on old signal handler > > This is primarily needed to test D8 under ASan. ASan installs a signal handler > early in the process startup to show stack traces from crashes. We need to make > sure that if V8 does not handle a signal then the existing handler gets a > chance. > > This change only applies when using V8's default signal handler. When > integrating with the embedder's signal handler the behavior is unchanged. > > Bug: chromium:771948 > Change-Id: Ifd560acf9700ec5f714f009530258fa92c83cabe > Reviewed-on: https://chromium-review.googlesource.com/705823 > Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> > Commit-Queue: Eric Holk <eholk@chromium.org> > Cr-Commit-Position: refs/heads/master@{#48429} TBR=mseaborn@chromium.org,bradnelson@chromium.org,gdeepti@chromium.org,eholk@chromium.org,mark@chromium.org Change-Id: Ib43b096831b15c312b3b460e59f268d5ea903f21 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:771948 Reviewed-on: https://chromium-review.googlesource.com/710034 Reviewed-by: Eric Holk <eholk@chromium.org> Commit-Queue: Eric Holk <eholk@chromium.org> Cr-Commit-Position: refs/heads/master@{#48430} [modify] https://crrev.com/0a97c51f35999ac4847f59f01f1f4168d3180c83/src/trap-handler/handler-inside.cc [modify] https://crrev.com/0a97c51f35999ac4847f59f01f1f4168d3180c83/src/trap-handler/handler-outside.cc [modify] https://crrev.com/0a97c51f35999ac4847f59f01f1f4168d3180c83/src/trap-handler/handler-shared.cc [modify] https://crrev.com/0a97c51f35999ac4847f59f01f1f4168d3180c83/src/trap-handler/trap-handler-internal.h [modify] https://crrev.com/0a97c51f35999ac4847f59f01f1f4168d3180c83/src/trap-handler/trap-handler.h [modify] https://crrev.com/0a97c51f35999ac4847f59f01f1f4168d3180c83/test/unittests/BUILD.gn [modify] https://crrev.com/0a97c51f35999ac4847f59f01f1f4168d3180c83/test/unittests/unittests.gyp [delete] https://crrev.com/ee4fe8963c435ff2d520aa34aafa6748e833af3a/test/unittests/wasm/trap-handler-unittest.cc
,
Oct 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/cc237d872b2e0533e97219d7a5aba7ae53e89386 commit cc237d872b2e0533e97219d7a5aba7ae53e89386 Author: Eric Holk <eholk@chromium.org> Date: Wed Oct 11 02:03:17 2017 Reland "[wasm] trap handlers: fall back on old signal handler" This is a reland of ee4fe8963c435ff2d520aa34aafa6748e833af3a Original change's description: > [wasm] trap handlers: fall back on old signal handler > > This is primarily needed to test D8 under ASan. ASan installs a signal handler > early in the process startup to show stack traces from crashes. We need to make > sure that if V8 does not handle a signal then the existing handler gets a > chance. > > This change only applies when using V8's default signal handler. When > integrating with the embedder's signal handler the behavior is unchanged. > > Bug: chromium:771948 > Change-Id: Ifd560acf9700ec5f714f009530258fa92c83cabe > Reviewed-on: https://chromium-review.googlesource.com/705823 > Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> > Commit-Queue: Eric Holk <eholk@chromium.org> > Cr-Commit-Position: refs/heads/master@{#48429} Bug: chromium:771948 Change-Id: Ide307091c432fd933c48f89c51851b8dce44dd30 Reviewed-on: https://chromium-review.googlesource.com/710114 Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> Commit-Queue: Eric Holk <eholk@chromium.org> Cr-Commit-Position: refs/heads/master@{#48435} [modify] https://crrev.com/cc237d872b2e0533e97219d7a5aba7ae53e89386/src/trap-handler/handler-inside.cc [modify] https://crrev.com/cc237d872b2e0533e97219d7a5aba7ae53e89386/src/trap-handler/handler-outside.cc [modify] https://crrev.com/cc237d872b2e0533e97219d7a5aba7ae53e89386/src/trap-handler/handler-shared.cc [modify] https://crrev.com/cc237d872b2e0533e97219d7a5aba7ae53e89386/src/trap-handler/trap-handler-internal.h [modify] https://crrev.com/cc237d872b2e0533e97219d7a5aba7ae53e89386/src/trap-handler/trap-handler.h [modify] https://crrev.com/cc237d872b2e0533e97219d7a5aba7ae53e89386/test/unittests/BUILD.gn [modify] https://crrev.com/cc237d872b2e0533e97219d7a5aba7ae53e89386/test/unittests/unittests.gyp [add] https://crrev.com/cc237d872b2e0533e97219d7a5aba7ae53e89386/test/unittests/wasm/trap-handler-unittest.cc
,
Oct 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/33d4e2096fe8fc30ff17ec99e06dc3e7e499a6cd commit 33d4e2096fe8fc30ff17ec99e06dc3e7e499a6cd Author: Michael Achenbach <machenbach@chromium.org> Date: Wed Oct 11 06:25:43 2017 Revert "Reland "[wasm] trap handlers: fall back on old signal handler"" This reverts commit cc237d872b2e0533e97219d7a5aba7ae53e89386. Reason for revert: breaks win clang: https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20clang/builds/8538 Original change's description: > Reland "[wasm] trap handlers: fall back on old signal handler" > > This is a reland of ee4fe8963c435ff2d520aa34aafa6748e833af3a > Original change's description: > > [wasm] trap handlers: fall back on old signal handler > > > > This is primarily needed to test D8 under ASan. ASan installs a signal handler > > early in the process startup to show stack traces from crashes. We need to make > > sure that if V8 does not handle a signal then the existing handler gets a > > chance. > > > > This change only applies when using V8's default signal handler. When > > integrating with the embedder's signal handler the behavior is unchanged. > > > > Bug: chromium:771948 > > Change-Id: Ifd560acf9700ec5f714f009530258fa92c83cabe > > Reviewed-on: https://chromium-review.googlesource.com/705823 > > Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> > > Commit-Queue: Eric Holk <eholk@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#48429} > > Bug: chromium:771948 > Change-Id: Ide307091c432fd933c48f89c51851b8dce44dd30 > Reviewed-on: https://chromium-review.googlesource.com/710114 > Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> > Commit-Queue: Eric Holk <eholk@chromium.org> > Cr-Commit-Position: refs/heads/master@{#48435} TBR=mseaborn@chromium.org,bradnelson@chromium.org,gdeepti@chromium.org,eholk@chromium.org,mark@chromium.org Change-Id: If71f61ae186fc6be2006edeb2dffd7e2b6827d91 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:771948 Reviewed-on: https://chromium-review.googlesource.com/711854 Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#48436} [modify] https://crrev.com/33d4e2096fe8fc30ff17ec99e06dc3e7e499a6cd/src/trap-handler/handler-inside.cc [modify] https://crrev.com/33d4e2096fe8fc30ff17ec99e06dc3e7e499a6cd/src/trap-handler/handler-outside.cc [modify] https://crrev.com/33d4e2096fe8fc30ff17ec99e06dc3e7e499a6cd/src/trap-handler/handler-shared.cc [modify] https://crrev.com/33d4e2096fe8fc30ff17ec99e06dc3e7e499a6cd/src/trap-handler/trap-handler-internal.h [modify] https://crrev.com/33d4e2096fe8fc30ff17ec99e06dc3e7e499a6cd/src/trap-handler/trap-handler.h [modify] https://crrev.com/33d4e2096fe8fc30ff17ec99e06dc3e7e499a6cd/test/unittests/BUILD.gn [modify] https://crrev.com/33d4e2096fe8fc30ff17ec99e06dc3e7e499a6cd/test/unittests/unittests.gyp [delete] https://crrev.com/cc237d872b2e0533e97219d7a5aba7ae53e89386/test/unittests/wasm/trap-handler-unittest.cc
,
Oct 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/1117da834c8d29ea6e92a734d001fdeed1d4a61e commit 1117da834c8d29ea6e92a734d001fdeed1d4a61e Author: Eric Holk (eholk) <eholk@google.com> Date: Wed Oct 11 20:49:45 2017 Reland "Reland "[wasm] trap handlers: fall back on old signal handler"" This is a reland of cc237d872b2e0533e97219d7a5aba7ae53e89386 Original change's description: > Reland "[wasm] trap handlers: fall back on old signal handler" > > This is a reland of ee4fe8963c435ff2d520aa34aafa6748e833af3a > Original change's description: > > [wasm] trap handlers: fall back on old signal handler > > > > This is primarily needed to test D8 under ASan. ASan installs a signal handler > > early in the process startup to show stack traces from crashes. We need to make > > sure that if V8 does not handle a signal then the existing handler gets a > > chance. > > > > This change only applies when using V8's default signal handler. When > > integrating with the embedder's signal handler the behavior is unchanged. > > > > Bug: chromium:771948 > > Change-Id: Ifd560acf9700ec5f714f009530258fa92c83cabe > > Reviewed-on: https://chromium-review.googlesource.com/705823 > > Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> > > Commit-Queue: Eric Holk <eholk@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#48429} > > Bug: chromium:771948 > Change-Id: Ide307091c432fd933c48f89c51851b8dce44dd30 > Reviewed-on: https://chromium-review.googlesource.com/710114 > Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> > Commit-Queue: Eric Holk <eholk@chromium.org> > Cr-Commit-Position: refs/heads/master@{#48435} Bug: chromium:771948 Change-Id: I781dfe356a728760090b6ccfa58212096e8f20c8 Reviewed-on: https://chromium-review.googlesource.com/713956 Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> Commit-Queue: Eric Holk <eholk@chromium.org> Cr-Commit-Position: refs/heads/master@{#48474} [modify] https://crrev.com/1117da834c8d29ea6e92a734d001fdeed1d4a61e/src/trap-handler/handler-inside.cc [modify] https://crrev.com/1117da834c8d29ea6e92a734d001fdeed1d4a61e/src/trap-handler/handler-outside.cc [modify] https://crrev.com/1117da834c8d29ea6e92a734d001fdeed1d4a61e/src/trap-handler/handler-shared.cc [modify] https://crrev.com/1117da834c8d29ea6e92a734d001fdeed1d4a61e/src/trap-handler/trap-handler-internal.h [modify] https://crrev.com/1117da834c8d29ea6e92a734d001fdeed1d4a61e/src/trap-handler/trap-handler.h [modify] https://crrev.com/1117da834c8d29ea6e92a734d001fdeed1d4a61e/test/unittests/BUILD.gn [modify] https://crrev.com/1117da834c8d29ea6e92a734d001fdeed1d4a61e/test/unittests/unittests.gyp [add] https://crrev.com/1117da834c8d29ea6e92a734d001fdeed1d4a61e/test/unittests/wasm/trap-handler-unittest.cc
,
Oct 12 2017
,
Oct 12 2017
ClusterFuzz testcase 5652010891476992 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 13 2017
,
Nov 3 2017
,
Nov 7 2017
,
Jan 19 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Oct 5 2017Summary: Clusterfuzz UNKNOWN WRITE crash in D8 after enabling trap handlers