New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 772897 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

DCHECK failure in !has_pending_exception() in isolate.cc

Project Member Reported by ClusterFuzz, Oct 9 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5094728617164800

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !has_pending_exception() in isolate.cc
  v8::internal::Isolate::Throw
  v8::internal::Isolate::StackOverflow
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47759:47760

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5094728617164800

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Oct 9 2017

Labels: Test-Predator-AutoOwner
Owner: mslekova@google.com
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/a9f517e2348e4dbeb74a4f2ceab98e5d254f1caa ([builtins] Port Proxy set trap to CSA).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 2 by sheriffbot@chromium.org, Oct 10 2017

Labels: M-63
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 10 2017

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 10 2017

Labels: Pri-1
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 10 2017

Labels: Hotlist-Recharge-BouncingOwner
Owner: ----
Status: Untriaged (was: Assigned)
The assigned owner "mslekova@google.com" is not able to receive e-mails, please re-triage.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by wfh@chromium.org, Oct 12 2017

Owner: fran...@chromium.org
mslekova has left, adding franzih - can you triage this?
Status: Assigned (was: Untriaged)
Cc: ishell@chromium.org

Comment 9 by ishell@chromium.org, Oct 13 2017

Cc: -ishell@chromium.org fran...@chromium.org
Owner: ishell@chromium.org
Project Member

Comment 10 by sheriffbot@chromium.org, Oct 18 2017

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 27 2017

ishell: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 12 by bugdroid1@chromium.org, Oct 30 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ef45d789d284d082244d8bdb4a0989d44fe896be

commit ef45d789d284d082244d8bdb4a0989d44fe896be
Author: Igor Sheludko <ishell@chromium.org>
Date: Mon Oct 30 15:06:38 2017

[proxy] Properly handle exceptions from Object::ToName().

... when storing to proxies.

Bug:  chromium:772897 
Change-Id: Ia91e69f35dc3b1f67b67038bd8206e508149e9a3
Reviewed-on: https://chromium-review.googlesource.com/744041
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49039}
[modify] https://crrev.com/ef45d789d284d082244d8bdb4a0989d44fe896be/src/runtime/runtime-proxy.cc
[add] https://crrev.com/ef45d789d284d082244d8bdb4a0989d44fe896be/test/mjsunit/regress/regress-crbug-772897.js

Labels: Merge-Request-63
Status: Fixed (was: Assigned)
Project Member

Comment 14 by ClusterFuzz, Oct 30 2017

ClusterFuzz has detected this issue as fixed in range 49038:49039.

Detailed report: https://clusterfuzz.com/testcase?key=5094728617164800

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !has_pending_exception() in isolate.cc
  v8::internal::Isolate::Throw
  v8::internal::Isolate::StackOverflow
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47759:47760
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49038:49039

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5094728617164800

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 15 by ClusterFuzz, Oct 30 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5094728617164800 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Cc: hablich@chromium.org
Cc: awhalley@chromium.org
+awhalley@ (Security TPM)
Project Member

Comment 18 by sheriffbot@chromium.org, Oct 31 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 19 by sheriffbot@chromium.org, Oct 31 2017

Labels: -Merge-Request-63 Merge-Review-63 Hotlist-Merge-Review
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
govind@ - good for M53
Labels: -Merge-Review-63 Merge-Approved-63
Approving merge to M63 branch for cl listed at #12 per comment #20. Please merge ASAP. Thank you.
Project Member

Comment 22 by bugdroid1@chromium.org, Nov 2 2017

Labels: merge-merged-6.3
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/09540f34495ab584f193a4e6f94fc8b07abf61f7

commit 09540f34495ab584f193a4e6f94fc8b07abf61f7
Author: ishell@chromium.org <ishell@chromium.org>
Date: Thu Nov 02 10:37:02 2017

Merged: [proxy] Properly handle exceptions from Object::ToName().

Revision: ef45d789d284d082244d8bdb4a0989d44fe896be

BUG= chromium:772897 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=verwaest@chromium.org

Change-Id: I12e35f6be2922ae707a9e23ca24b4e51cdd35ad9
Reviewed-on: https://chromium-review.googlesource.com/750083
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.3@{#48}
Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
[modify] https://crrev.com/09540f34495ab584f193a4e6f94fc8b07abf61f7/src/runtime/runtime-proxy.cc
[add] https://crrev.com/09540f34495ab584f193a4e6f94fc8b07abf61f7/test/mjsunit/regress/regress-crbug-772897.js

Labels: -Merge-Approved-63
Per comment #22, this is already merged to M63.
Labels: -ReleaseBlock-Stable
Labels: -Test-Predator-AutoOwner Test-Predator-Auto-Owner
Project Member

Comment 26 by sheriffbot@chromium.org, Feb 6 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 27 by sheriffbot@chromium.org, Mar 27 2018

Labels: -Security_Impact-Beta -M-63 M-65 Security_Impact-Stable

Sign in to add a comment