Issue metadata
Sign in to add a comment
|
CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSReceiver()) in objects-i |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5581496621727744 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSReceiver()) in objects-i cast cast<v8::internal::Object> Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48139:48140 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5581496621727744 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 19 2017
,
Oct 19 2017
,
Oct 22 2017
ClusterFuzz has detected this issue as fixed in range 48809:48810. Detailed report: https://clusterfuzz.com/testcase?key=5581496621727744 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSReceiver()) in objects-i cast cast<v8::internal::Object> Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48139:48140 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48809:48810 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5581496621727744 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 22 2017
ClusterFuzz testcase 5581496621727744 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 22 2017
,
Oct 23 2017
This doesn't seem to be related to my CL, it just flushed out the bug. Also while the crash goes away with jarin@'s CL, I'm not sure the underlying problem is fixed. Here's a simplified repro that works with c38e37f302 (right before jarin@'s CL):
======================================================
// Flags: --allow-natives-syntax --enable-slow-asserts
function foo(o) {
o.a += o.c;
}
function bar() {
var o = {c: 10};
foo(o);
%_DeoptimizeNow();
foo(o);
}
bar();
bar();
%OptimizeFunctionOnNextCall(bar);
bar();
======================================================
It crashes in the ToNumeric call for o.a inside foo, passing a MutableNumber nan instead of a HeapNumber nan. It's really subtle and I wasn't able to figure out what's wrong exactly, but it might be another instance of the dead code problem.
Assigning to jarin@ and tebbi@ to decide about further steps / investigations.
,
Oct 23 2017
,
Nov 2 2017
jarin: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 2 2017
jarin -- can you please help triage this high severity security bug and find the right owner? thanks.
,
Nov 7 2017
,
Nov 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/9eb92da6185868969c14e92c14cee21c4daee928 commit 9eb92da6185868969c14e92c14cee21c4daee928 Author: Jaroslav Sevcik <jarin@chromium.org> Date: Thu Nov 09 12:02:47 2017 [deoptimizer] Make sure property arrays don't contain mutable heap numbers. Since the deoptimizer generalizes maps for all materialized objects, it must make sure that none of the object's fields contain mutable heap numbers (only double fields are allowed to point to mutable heap numbers). With this CL, we simply change any mutable heap numbers in property arrays to immutable ones. This could be dangerous if some non-materialized object could point to this property array, but this cannot happen because interpreter registers cannot refer to naked property arrays. Bug: chromium:776309 Change-Id: I897b604fa804de673710cfa3ba0595dbd9f80eeb Reviewed-on: https://chromium-review.googlesource.com/759781 Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#49263} [modify] https://crrev.com/9eb92da6185868969c14e92c14cee21c4daee928/src/deoptimizer.cc [add] https://crrev.com/9eb92da6185868969c14e92c14cee21c4daee928/test/mjsunit/regress/regress-776309.js
,
Nov 10 2017
,
Nov 10 2017
+ awhalley@ for merge review
,
Nov 10 2017
,
Nov 10 2017
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 12 2017
@govind - good for 63
,
Nov 13 2017
hablich@ for merge approval as this is related to V8. PTAL comment #17. Thank you.
,
Nov 13 2017
I don't think this was yet properly deployed to Canary because of our roll back that weekend.
,
Nov 16 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 20 2017
Unfortunately, this fix does not apply cleanly because of the bulk change of CHECKs. At this point, I am not sure it is worth merging this manually.
,
Nov 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/230deeffa310c48b1ed009ae86550e62cc1d0e50 commit 230deeffa310c48b1ed009ae86550e62cc1d0e50 Author: Jaroslav Sevcik <jarin@chromium.org> Date: Mon Nov 20 12:37:10 2017 Merged: [deoptimizer] Make sure property arrays don't contain mutable heap numbers. Revision: 9eb92da6185868969c14e92c14cee21c4daee928 BUG= chromium:776309 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=bmeurer@chromium.org Change-Id: I1d584a940188f33e0ab490aa104e8a6774bbdafc Reviewed-on: https://chromium-review.googlesource.com/779180 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/branch-heads/6.3@{#81} Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1} Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432} [modify] https://crrev.com/230deeffa310c48b1ed009ae86550e62cc1d0e50/src/deoptimizer.cc
,
Nov 20 2017
Per comment #23,this is already merged to M63.
,
Dec 4 2017
,
Feb 16 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by titzer@chromium.org
, Oct 19 2017Status: Assigned (was: Untriaged)