New issue
Advanced search Search tips

Issue 784990 link

Starred by 1 user
Status: Verified
Owner:
jgruber@chromium.org
Closed: Nov 2017
Cc:
peter.wm...@gmail.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

DCHECK failure in nod == removed_holes_index in objects.cc

Project Member Reported by ClusterFuzz, Nov 14 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5982243268067328

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  nod == removed_holes_index in objects.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=49342:49343

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5982243268067328

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by clemensh@chromium.org, Nov 15 2017

Cc: peter.wm...@gmail.com
Owner: jgruber@chromium.org
Status: Assigned (was: Untriaged)
Local bisect confirms c5c50e18600db409d13efff6a33ae65062de4fe1 ([builtins] Port WeakMap/WeakSet constructor to CSA).

Comment 2 by jgruber@chromium.org, Nov 15 2017

Labels: Pri-1
Thanks, reduced repro:

const xs = [, 1, 2, 3, 4];
assertThrows(() => new Set(xs));

Comment 3 by jgruber@chromium.org, Nov 15 2017 

The issue seems to be in the new fast path for fast JSArrays args, where we read directly from the FixedArray backing store instead of going through the iterator.

We're missing a hole-to-undefined translation there and thus can end up writing holes into the collection backing store, which is a bug.

Another problem is that we can end up trying to alloc a HeapNumber with the hole as the value.

Comment 4 by peter.wm...@gmail.com, Nov 15 2017 

I'm looking at this now, and should have a fix shortly.

Comment 6 by mmoroz@chromium.org, Nov 15 2017

Labels: Security_Impact-Head M-64
Project Member

Comment 7 by bugdroid1@chromium.org, Nov 16 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/007203abd05604728e12650813a67a13e71004a2

commit 007203abd05604728e12650813a67a13e71004a2
Author: peterwmwong <peter.wm.wong@gmail.com>
Date: Thu Nov 16 06:59:25 2017

[collections] Handle holes in collection constructor fast paths

Bug:  chromium:784990 
Change-Id: I08c10ec706ccaba765edc7322dc92374863b8a7a
Reviewed-on: https://chromium-review.googlesource.com/771387
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49397}
[modify] https://crrev.com/007203abd05604728e12650813a67a13e71004a2/src/builtins/builtins-collections-gen.cc
[add] https://crrev.com/007203abd05604728e12650813a67a13e71004a2/test/mjsunit/regress/regress-784990.js

Comment 8 by jgruber@chromium.org, Nov 16 2017

Status: Fixed (was: Assigned)
Project Member

Comment 9 by ClusterFuzz, Nov 16 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6041647363391488 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 16 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 11 by sheriffbot@chromium.org, Feb 22 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 12 by sheriffbot@chromium.org, Mar 27 2018

Labels: -Security_Impact-Head -M-64 M-65 Security_Impact-Stable

Sign in to add a comment