CHECK failure: args[1]->IsJSObject() in runtime-classes.cc |
|||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5604116503199744 Fuzzer: inferno_js_fuzzer Job Type: linux_ubsan_vptr_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: args[1]->IsJSObject() in runtime-classes.cc Sanitizer: undefined (UBSAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5604116503199744 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 16 2017
,
Oct 16 2017
Testcase 5604116503199744 is a top crash on ClusterFuzz for linux platform. Please prioritize fixing this crash. Marking this crash as a Beta release blocker. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 16 2017
This doesn't seem to be recently-introduced. Also, I doubt it's a security problem (it CHECK-fails even in release builds).
Minimal repro:
function f() {
new class extends Object {
constructor() {
eval("super(); super.__f_10();");
}
}
}
f();
,
Oct 16 2017
,
Oct 16 2017
This crash goes away if I turn off --preparser-scope-analysis. With that flag enabled, we fail to mark the constructor with "inner scope calls eval" during preparsing, which leads to badness downstream.
,
Oct 16 2017
Okay, figured it out. The trouble is that the preparsed scope data records the "uses super property" bit instead of the "needs home object" bit. Fix on the way.
,
Oct 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/94a71d7c45c8ff88dc0674e2cb370964eb939c7e commit 94a71d7c45c8ff88dc0674e2cb370964eb939c7e Author: Adam Klein <adamk@chromium.org> Date: Tue Oct 17 01:49:36 2017 [parser] Skipping inner funcs: accurately record NeedsHomeObject Inner functions which called eval, and were the kind of functions that can use `super`, were erroneously not marked as "uses_super_property", leading to downstream crashes when the runtime tried to load the [[HomeObject]] from them. This patch eliminates the public Scope::uses_super_property() API and ensures that callers always call Scope::NeedsHomeObject() instead. This is a minimal fix designed for easy merging; it's likely that in the long run we should remove most mentions of "uses super property" and replace them with "needs home object" for clarity. Bug: v8:5516 , chromium:774994 Change-Id: Id269dd33e35bd40f6b59a3d3e19330687afa64f8 Reviewed-on: https://chromium-review.googlesource.com/721879 Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/master@{#48619} [modify] https://crrev.com/94a71d7c45c8ff88dc0674e2cb370964eb939c7e/src/ast/scopes.cc [modify] https://crrev.com/94a71d7c45c8ff88dc0674e2cb370964eb939c7e/src/ast/scopes.h [modify] https://crrev.com/94a71d7c45c8ff88dc0674e2cb370964eb939c7e/src/parsing/parser.cc [modify] https://crrev.com/94a71d7c45c8ff88dc0674e2cb370964eb939c7e/src/parsing/preparsed-scope-data.cc [modify] https://crrev.com/94a71d7c45c8ff88dc0674e2cb370964eb939c7e/test/cctest/test-parsing.cc [add] https://crrev.com/94a71d7c45c8ff88dc0674e2cb370964eb939c7e/test/mjsunit/regress/regress-crbug-774994.js
,
Oct 17 2017
ClusterFuzz has detected this issue as fixed in range 48618:48619. Detailed report: https://clusterfuzz.com/testcase?key=5604116503199744 Fuzzer: inferno_js_fuzzer Job Type: linux_ubsan_vptr_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: args[1]->IsJSObject() in runtime-classes.cc Sanitizer: undefined (UBSAN) Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=48618:48619 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5604116503199744 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 17 2017
ClusterFuzz testcase 5604116503199744 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 17 2017
,
Oct 17 2017
,
Oct 18 2017
Your change meets the bar and is auto-approved for M63. Please go ahead and merge the CL to branch 3239 manually. Please contact milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 18 2017
Please merge your change to M63 branch 3239 by 4:00 PM PT tomorrow, Thursday so we can take it in for next M63 dev release. Thank you.
,
Oct 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e4fc7c5b5bbf4d0f947425719bda449d8420121a commit e4fc7c5b5bbf4d0f947425719bda449d8420121a Author: Adam Klein <adamk@chromium.org> Date: Thu Oct 19 09:31:34 2017 [parser] Skipping inner funcs: accurately record NeedsHomeObject Inner functions which called eval, and were the kind of functions that can use `super`, were erroneously not marked as "uses_super_property", leading to downstream crashes when the runtime tried to load the [[HomeObject]] from them. This patch eliminates the public Scope::uses_super_property() API and ensures that callers always call Scope::NeedsHomeObject() instead. This is a minimal fix designed for easy merging; it's likely that in the long run we should remove most mentions of "uses super property" and replace them with "needs home object" for clarity. NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true Bug: v8:5516 , chromium:774994 Change-Id: Id269dd33e35bd40f6b59a3d3e19330687afa64f8 Reviewed-on: https://chromium-review.googlesource.com/721879 Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Adam Klein <adamk@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#48619}(cherry picked from commit 94a71d7c45c8ff88dc0674e2cb370964eb939c7e) Reviewed-on: https://chromium-review.googlesource.com/727762 Reviewed-by: Michael Hablich <hablich@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/branch-heads/6.3@{#26} Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1} Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432} [modify] https://crrev.com/e4fc7c5b5bbf4d0f947425719bda449d8420121a/src/ast/scopes.cc [modify] https://crrev.com/e4fc7c5b5bbf4d0f947425719bda449d8420121a/src/ast/scopes.h [modify] https://crrev.com/e4fc7c5b5bbf4d0f947425719bda449d8420121a/src/parsing/parser.cc [modify] https://crrev.com/e4fc7c5b5bbf4d0f947425719bda449d8420121a/src/parsing/preparsed-scope-data.cc [modify] https://crrev.com/e4fc7c5b5bbf4d0f947425719bda449d8420121a/test/cctest/test-parsing.cc [add] https://crrev.com/e4fc7c5b5bbf4d0f947425719bda449d8420121a/test/mjsunit/regress/regress-crbug-774994.js
,
Oct 19 2017
Per comment #15, this is already merged to M63.
,
Jan 23 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by titzer@chromium.org
, Oct 16 2017Status: Assigned (was: Untriaged)