New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 791256 link

Starred by 1 user

DCHECK failure in kNoSourcePosition != start_position() in scopes.cc

Project Member Reported by ClusterFuzz, Dec 2 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5681042311872512

Fuzzer: libFuzzer_javascript_parser_proto_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  kNoSourcePosition != start_position() in scopes.cc
  v8::internal::Scope::CheckScopePositions
  v8::internal::Scope::CheckScopePositions
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=512947:512975

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5681042311872512

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Dec 2 2017

Components: Blink>JavaScript>Language
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Dec 2 2017

Cc: adamk@chromium.org leszeks@chromium.org
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

[parser] Use n-ary addition for template strings by leszeks@chromium.org - https://chromium.googlesource.com/v8/v8/+/531af2f4c1433a3b8b0a42b6ff9c8dd6cf9afdf6

[ast] Expose Literal::Type enum and switch over it in BytecodeGenerator by adamk@chromium.org - https://chromium.googlesource.com/v8/v8/+/bcf9771b81146d7ece2ddcb25c85d3a764040969

If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 3 by sheriffbot@chromium.org, Dec 2 2017

Labels: M-64
Project Member

Comment 4 by sheriffbot@chromium.org, Dec 2 2017

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Dec 2 2017

Labels: Pri-1
Cc: titzer@chromium.org hpayer@chromium.org
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Mac OS-Windows
Cc: mmoroz@chromium.org marja@chromium.org
Cc: bmeu...@chromium.org
Owner: siggi@chromium.org
Status: Assigned (was: Untriaged)
siggi: Can you please take a look? It looks like you're the author of the DCHECKs. Thank you!

Comment 9 by siggi@chromium.org, Dec 5 2017

Owner: yangguo@chromium.org
Not my code - I just converted from CHECK to DCHECK for Albatross. Yang, I see your name there: https://chromium.googlesource.com/v8/v8.git/+blame/61e700767ae04ac3772718a6e0cffc89b3c59f58/src/ast/scopes.cc#1798.
Project Member

Comment 10 by sheriffbot@chromium.org, Dec 7 2017

Labels: -Security_Impact-Head Security_Impact-Beta

Comment 11 by marja@chromium.org, Dec 11 2017

The repro is:

( function *  ( name = ( eval ( foo ) , foo , prototype ) ) {  } )

And the bug is reproducible with plain d8.

Comment 12 by marja@chromium.org, Dec 11 2017

Simplest repro I was able to come up with:

(function (name = (eval('') , foo, bar) ) {  })

(Huh, what?)

Comment 13 by marja@chromium.org, Dec 11 2017

Cc: yangguo@chromium.org
Owner: marja@chromium.org
It's a parser bug so assigning to me.

Comment 14 by marja@chromium.org, Dec 11 2017

Alright, this doesn't sound super critical, just some positions are off.. probably a problem in the cover grammar parsing (the "(eval(''), foo, bar)" which is a comma separated expression).

Anyway, this is wonky enough - why are (foo, bar, baz) and (eval(''), foo) ok but (eval(''), foo, bar) not - to warrant having a look. And I guess it's a sensible assumption that we don't produce expressions without positions. Who knows what else goes wrong.

Also, this is interesting in the sense that this is apparently uncovered by our existing tests. When a regression test for this is landed, the mbarbella fuzzer might start finding something interesting based on that. Dunno.

Comment 15 by marja@chromium.org, Dec 11 2017

Ok I guess I know what's going on...

A more minimal repro:

(function (name = (foo, bar, baz) ) {  })

now the initializer is (foo, bar, baz) which is a n-ary expression, and for some reason, those have position -1. That initializer position ends up being the scope position. I guess normally the position of the n-ary expression doesn't trickle into anything, but in this case it does.

So I guess a n-ary expression should also have a proper position...

leszeks@, any reason why it shouldn't?
Project Member

Comment 17 by bugdroid1@chromium.org, Dec 12 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/10d9c3148864627d643bbeb74224ffa9c7b4fcf9

commit 10d9c3148864627d643bbeb74224ffa9c7b4fcf9
Author: Marja Hölttä <marja@chromium.org>
Date: Tue Dec 12 18:54:03 2017

[parser] Fix NaryOperation positions.

If an initializer is a NaryOperation, its position ends up as a start position
of a Scope, and a DCHECK used to fire.

Interestingly, this was not caught by our existing tests.

BUG= chromium:791256 

Change-Id: Id47f850c7ad17ca580352f9bd56c9567b485c3b8
Reviewed-on: https://chromium-review.googlesource.com/822093
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50051}
[modify] https://crrev.com/10d9c3148864627d643bbeb74224ffa9c7b4fcf9/src/ast/ast.h
[add] https://crrev.com/10d9c3148864627d643bbeb74224ffa9c7b4fcf9/test/mjsunit/regress/regress-crbug-791256.js

Project Member

Comment 18 by ClusterFuzz, Dec 15 2017

ClusterFuzz has detected this issue as fixed in range 524053:524063.

Detailed report: https://clusterfuzz.com/testcase?key=5681042311872512

Fuzzer: libFuzzer_javascript_parser_proto_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  kNoSourcePosition != start_position() in scopes.cc
  v8::internal::Scope::CheckScopePositions
  v8::internal::Scope::CheckScopePositions
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=512947:512975
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=524053:524063

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5681042311872512

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 19 by ClusterFuzz, Dec 15 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5681042311872512 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 20 by sheriffbot@chromium.org, Dec 15 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 21 by sheriffbot@chromium.org, Dec 17 2017

Labels: Merge-Request-64
Project Member

Comment 22 by sheriffbot@chromium.org, Dec 17 2017

Labels: -Merge-Request-64 Hotlist-Merge-Review Merge-Review-64
This bug requires manual review: M64 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
abdulsyed@ - good for 64
Labels: -Merge-Review-64 Merge-Approved-64
Approving this for M64. Branch:3282
marja@, reminder to please merge CL to M64 branch 3282.
Please merge the approved cl(s) to M64 release branch 3282 as soon as possible.
Project Member

Comment 27 by bugdroid1@chromium.org, Jan 5 2018

Labels: merge-merged-6.4
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a28ca3e1004e0cfbbb582bffdc2c527cc17dc3f2

commit a28ca3e1004e0cfbbb582bffdc2c527cc17dc3f2
Author: Adam Klein <adamk@chromium.org>
Date: Fri Jan 05 22:47:11 2018

Merged: [parser] Fix NaryOperation positions.

Revision: 10d9c3148864627d643bbeb74224ffa9c7b4fcf9

BUG= chromium:791256 
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=gsathya@chromium.org

Change-Id: I5149ac5b5582523ef887a13f38844e51bced9f3f
Reviewed-on: https://chromium-review.googlesource.com/853155
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.4@{#39}
Cr-Branched-From: 0407506af3d9d7e2718be1d8759296165b218fcf-refs/heads/6.4.388@{#1}
Cr-Branched-From: a5fc4e085ee543cb608eb11034bc8f147ba388e1-refs/heads/master@{#49724}
[modify] https://crrev.com/a28ca3e1004e0cfbbb582bffdc2c527cc17dc3f2/src/ast/ast.h
[add] https://crrev.com/a28ca3e1004e0cfbbb582bffdc2c527cc17dc3f2/test/mjsunit/regress/regress-crbug-791256.js

Labels: -Merge-Approved-64 merge-merged-64
Thanks for merging while I was ooo!
Project Member

Comment 30 by sheriffbot@chromium.org, Mar 24 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 31 by sheriffbot@chromium.org, Mar 27 2018

Labels: -Security_Impact-Beta -M-64 M-65 Security_Impact-Stable
Labels: -ReleaseBlock-Stable

Sign in to add a comment