New issue
Advanced search Search tips

Issue 774994 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: args[1]->IsJSObject() in runtime-classes.cc

Project Member Reported by ClusterFuzz, Oct 16 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5604116503199744

Fuzzer: inferno_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  args[1]->IsJSObject() in runtime-classes.cc
  
Sanitizer: undefined (UBSAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5604116503199744

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 

Comment 1 by titzer@chromium.org, Oct 16 2017

Owner: adamk@chromium.org
Status: Assigned (was: Untriaged)
This reproduces on ToT. Adam, can you take a look or assign a better owner? Looks like it has to do with named super properties.
Project Member

Comment 2 by sheriffbot@chromium.org, Oct 16 2017

Labels: Pri-1
Project Member

Comment 3 by ClusterFuzz, Oct 16 2017

Labels: ClusterFuzz-Top-Crash ReleaseBlock-Beta M-63
Testcase 5604116503199744 is a top crash on ClusterFuzz for linux platform. Please prioritize fixing this crash.

Marking this crash as a Beta release blocker.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 4 by adamk@chromium.org, Oct 16 2017

Labels: -Type-Bug-Security -ReleaseBlock-Beta -Security_Severity-High Security_Severity-Low Type-Bug
Status: Started (was: Assigned)
This doesn't seem to be recently-introduced. Also, I doubt it's a security problem (it CHECK-fails even in release builds).

Minimal repro:

function f() {
  new class extends Object { 
    constructor() {
      eval("super(); super.__f_10();");
    }
  }
}
f();

Comment 5 by adamk@chromium.org, Oct 16 2017

Labels: Stability-Crash

Comment 6 by adamk@chromium.org, Oct 16 2017

Cc: marja@chromium.org
This crash goes away if I turn off --preparser-scope-analysis. With that flag enabled, we fail to mark the constructor with "inner scope calls eval" during preparsing, which leads to badness downstream.

Comment 7 by adamk@chromium.org, Oct 16 2017

Okay, figured it out. The trouble is that the preparsed scope data records the "uses super property" bit instead of the "needs home object" bit. Fix on the way.
Project Member

Comment 8 by bugdroid1@chromium.org, Oct 17 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/94a71d7c45c8ff88dc0674e2cb370964eb939c7e

commit 94a71d7c45c8ff88dc0674e2cb370964eb939c7e
Author: Adam Klein <adamk@chromium.org>
Date: Tue Oct 17 01:49:36 2017

[parser] Skipping inner funcs: accurately record NeedsHomeObject

Inner functions which called eval, and were the kind of functions
that can use `super`, were erroneously not marked as "uses_super_property",
leading to downstream crashes when the runtime tried to load the
[[HomeObject]] from them.

This patch eliminates the public Scope::uses_super_property()
API and ensures that callers always call Scope::NeedsHomeObject()
instead.

This is a minimal fix designed for easy merging; it's likely that
in the long run we should remove most mentions of "uses super property"
and replace them with "needs home object" for clarity.

Bug:  v8:5516 ,  chromium:774994 
Change-Id: Id269dd33e35bd40f6b59a3d3e19330687afa64f8
Reviewed-on: https://chromium-review.googlesource.com/721879
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48619}
[modify] https://crrev.com/94a71d7c45c8ff88dc0674e2cb370964eb939c7e/src/ast/scopes.cc
[modify] https://crrev.com/94a71d7c45c8ff88dc0674e2cb370964eb939c7e/src/ast/scopes.h
[modify] https://crrev.com/94a71d7c45c8ff88dc0674e2cb370964eb939c7e/src/parsing/parser.cc
[modify] https://crrev.com/94a71d7c45c8ff88dc0674e2cb370964eb939c7e/src/parsing/preparsed-scope-data.cc
[modify] https://crrev.com/94a71d7c45c8ff88dc0674e2cb370964eb939c7e/test/cctest/test-parsing.cc
[add] https://crrev.com/94a71d7c45c8ff88dc0674e2cb370964eb939c7e/test/mjsunit/regress/regress-crbug-774994.js

Project Member

Comment 9 by ClusterFuzz, Oct 17 2017

ClusterFuzz has detected this issue as fixed in range 48618:48619.

Detailed report: https://clusterfuzz.com/testcase?key=5604116503199744

Fuzzer: inferno_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  args[1]->IsJSObject() in runtime-classes.cc
  
Sanitizer: undefined (UBSAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=48618:48619

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5604116503199744

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Oct 17 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5604116503199744 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 17 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 12 by adamk@chromium.org, Oct 17 2017

Labels: Merge-Request-63
Project Member

Comment 13 by sheriffbot@chromium.org, Oct 18 2017

Labels: -Merge-Request-63 Hotlist-Merge-Approved Merge-Approved-63
Your change meets the bar and is auto-approved for M63. Please go ahead and merge the CL to branch 3239 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Please merge your change to M63 branch 3239 by 4:00 PM PT tomorrow, Thursday so we can take it in for next M63 dev release. Thank you.
Project Member

Comment 15 by bugdroid1@chromium.org, Oct 19 2017

Labels: merge-merged-6.3
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e4fc7c5b5bbf4d0f947425719bda449d8420121a

commit e4fc7c5b5bbf4d0f947425719bda449d8420121a
Author: Adam Klein <adamk@chromium.org>
Date: Thu Oct 19 09:31:34 2017

[parser] Skipping inner funcs: accurately record NeedsHomeObject

Inner functions which called eval, and were the kind of functions
that can use `super`, were erroneously not marked as "uses_super_property",
leading to downstream crashes when the runtime tried to load the
[[HomeObject]] from them.

This patch eliminates the public Scope::uses_super_property()
API and ensures that callers always call Scope::NeedsHomeObject()
instead.

This is a minimal fix designed for easy merging; it's likely that
in the long run we should remove most mentions of "uses super property"
and replace them with "needs home object" for clarity.

NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

Bug:  v8:5516 ,  chromium:774994 
Change-Id: Id269dd33e35bd40f6b59a3d3e19330687afa64f8
Reviewed-on: https://chromium-review.googlesource.com/721879
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#48619}(cherry picked from commit 94a71d7c45c8ff88dc0674e2cb370964eb939c7e)
Reviewed-on: https://chromium-review.googlesource.com/727762
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.3@{#26}
Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
[modify] https://crrev.com/e4fc7c5b5bbf4d0f947425719bda449d8420121a/src/ast/scopes.cc
[modify] https://crrev.com/e4fc7c5b5bbf4d0f947425719bda449d8420121a/src/ast/scopes.h
[modify] https://crrev.com/e4fc7c5b5bbf4d0f947425719bda449d8420121a/src/parsing/parser.cc
[modify] https://crrev.com/e4fc7c5b5bbf4d0f947425719bda449d8420121a/src/parsing/preparsed-scope-data.cc
[modify] https://crrev.com/e4fc7c5b5bbf4d0f947425719bda449d8420121a/test/cctest/test-parsing.cc
[add] https://crrev.com/e4fc7c5b5bbf4d0f947425719bda449d8420121a/test/mjsunit/regress/regress-crbug-774994.js

Labels: -Merge-Approved-63
Per comment #15, this is already merged to M63.
Project Member

Comment 17 by sheriffbot@chromium.org, Jan 23 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment