New issue
Advanced search Search tips

Issue 778952 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug-Regression



Sign in to add a comment

DCHECK failure in raw_properties_or_hash()->IsDictionary() == map()->is_dictionary_map() in object

Project Member Reported by ClusterFuzz, Oct 27 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6222290936397824

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  raw_properties_or_hash()->IsDictionary() == map()->is_dictionary_map() in object
  HasFastProperties
  v8::internal::JSReceiver::property_dictionary
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48929:48930

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6222290936397824

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Oct 27 2017

Labels: Pri-1
Project Member

Comment 2 by ClusterFuzz, Oct 31 2017

Labels: Test-Predator-AutoOwner
Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/b1aaa6af5d6d95dba407d88af6d1bca765c4305c ([es2015] Unify hash storage for JSProxy and JSGlobalProxy.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
Cc: ishell@chromium.org bmeu...@chromium.org verwa...@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>Runtime
Owner: jkummerow@chromium.org
Here's a simplified repro:

assertThrows(function() {
  const p = new Proxy({}, {});
  (new Set).add(p);  // compute the hash code for p
  null[p] = 0;
});

Somehow the LookupIterator walks into LookupIterator::LookupInRegularHolder for the JSProxy p while constructing the error message, which doesn't look right. Assigning to jkummerow@ for investigation.
Labels: -Type-Bug-Security -Pri-1 -Restrict-View-SecurityTeam -Security_Severity-High OS-Android OS-Chrome OS-Mac OS-Windows Pri-2 Type-Bug-Regression
Status: Started (was: Assigned)
LookupInRegularHolder is fine, "regular" just means "no interceptors, no access checks". It takes a JSReceiver, so Proxies are handled there. The only problem is an outdated DCHECK in HasFastProperties: https://chromium-review.googlesource.com/#/c/v8/v8/+/747272
Project Member

Comment 5 by bugdroid1@chromium.org, Oct 31 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a5b0d640c2670243b800bff1273f6afc39cc4a37

commit a5b0d640c2670243b800bff1273f6afc39cc4a37
Author: Jakob Kummerow <jkummerow@chromium.org>
Date: Tue Oct 31 18:06:43 2017

Fix DCHECK in HasFastProperties

Objects with both dictionary and non-dictionary maps can store their
hash in the {properties} field when they have no other properties.

Bug:  chromium:778952 
Change-Id: I8ac8c31eaac32116415e3c65cef8dee260dca2c9
Reviewed-on: https://chromium-review.googlesource.com/747272
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49056}
[modify] https://crrev.com/a5b0d640c2670243b800bff1273f6afc39cc4a37/src/objects-inl.h
[add] https://crrev.com/a5b0d640c2670243b800bff1273f6afc39cc4a37/test/mjsunit/regress/regress-crbug-778952.js

Status: Fixed (was: Started)
Project Member

Comment 7 by ClusterFuzz, Nov 1 2017

ClusterFuzz has detected this issue as fixed in range 49055:49056.

Detailed report: https://clusterfuzz.com/testcase?key=6222290936397824

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  raw_properties_or_hash()->IsDictionary() == map()->is_dictionary_map() in object
  HasFastProperties
  v8::internal::JSReceiver::property_dictionary
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48929:48930
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49055:49056

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6222290936397824

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Nov 1 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6222290936397824 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Labels: -Test-Predator-AutoOwner Test-Predator-Auto-Owner

Sign in to add a comment