New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 801772 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

DCHECK failure in scope_data_->ReadUint32() == static_cast<uint32_t>(name->length()) in preparsed-

Project Member Reported by ClusterFuzz, Jan 13 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4971037795287040

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  scope_data_->ReadUint32() == static_cast<uint32_t>(name->length()) in preparsed-
  v8::internal::ConsumedPreParsedScopeData::RestoreDataForVariable
  v8::internal::ConsumedPreParsedScopeData::RestoreData
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=47663:47664

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4971037795287040

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jan 13 2018

Components: Blink>JavaScript>Parser
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jan 13 2018

Labels: Test-Predator-Auto-Owner
Owner: marja@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/47c25893d0862092e8609e069d39e24528dc73ea ([parser] Ship preparser scope analysis under future.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 13 2018

Labels: Pri-1

Comment 4 by marja@chromium.org, Jan 15 2018

Status: Started (was: Assigned)
This is a skipping bug.

A more minimal repro:

function foo(f) { f(); }

foo(function arguments() {
    function skippable() { }
});

Comment 5 by marja@chromium.org, Jan 15 2018

This is kinda funny actually. :)

The bug is that "arguments" and the function name are declared in the wrong order in PreParser.

There is even a comment explaining why they need to be declared in the right order:

ParserBase:
-----------

  if (!IsArrowFunction(kind)) {
    // Declare arguments after parsing the function since lexical 'arguments'
    // masks the arguments object. Declare arguments before declaring the
    // function var since the arguments object masks 'function arguments'.
    function_scope->DeclareArguments(ast_value_factory());
  }

  impl()->DeclareFunctionNameVar(function_name, function_type, function_scope);


PreParser:
----------

  if (!IsArrowFunction(kind) && track_unresolved_variables_ &&
      result == kLazyParsingComplete) {
    DeclareFunctionNameVar(function_name, function_type, function_scope);

    // Declare arguments after parsing the function since lexical 'arguments'
    // masks the arguments object. Declare arguments before declaring the
    // function var since the arguments object masks 'function arguments'.
    function_scope->DeclareArguments(ast_value_factory());
  }

But somehow the PreParser code doesn't match that comment :P
Project Member

Comment 7 by bugdroid1@chromium.org, Jan 17 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9bc4e5602a4740bb06a0cce4ceb27248d90591d4

commit 9bc4e5602a4740bb06a0cce4ceb27248d90591d4
Author: Marja Hölttä <marja@chromium.org>
Date: Wed Jan 17 08:29:20 2018

[parser] Fix declaration order of "arguments" and func name.

They were in the wrong order in PreParser, which caused problem for "function
arguments() { ... }".

BUG= chromium:801772 

Change-Id: Ia04c8c8c0a5d641fd1db0746dc3312c83ebcaf24
Reviewed-on: https://chromium-review.googlesource.com/865900
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50640}
[modify] https://crrev.com/9bc4e5602a4740bb06a0cce4ceb27248d90591d4/src/parsing/preparser.cc
[add] https://crrev.com/9bc4e5602a4740bb06a0cce4ceb27248d90591d4/test/mjsunit/regress/regress-801772.js

Project Member

Comment 8 by ClusterFuzz, Jan 18 2018

ClusterFuzz has detected this issue as fixed in range 50639:50640.

Detailed report: https://clusterfuzz.com/testcase?key=4971037795287040

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  scope_data_->ReadUint32() == static_cast<uint32_t>(name->length()) in preparsed-
  v8::internal::ConsumedPreParsedScopeData::RestoreDataForVariable
  v8::internal::ConsumedPreParsedScopeData::RestoreData
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=47663:47664
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=50639:50640

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4971037795287040

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Jan 18 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 4971037795287040 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by bugdroid1@chromium.org, Jan 18 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e4941f76f5588ac787b32a5d9c5852b0b174d8b6

commit e4941f76f5588ac787b32a5d9c5852b0b174d8b6
Author: Marja Hölttä <marja@chromium.org>
Date: Thu Jan 18 14:26:35 2018

[parser] Follow-up to r50640: add cctest.

This adds a test-preparser cctest corresponding to the regression test added in
https://chromium-review.googlesource.com/865900

BUG= chromium:801772 

Change-Id: I33d74e242fd765b91b7c148b9a0af4960a7b05ea
Reviewed-on: https://chromium-review.googlesource.com/870311
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50688}
[modify] https://crrev.com/e4941f76f5588ac787b32a5d9c5852b0b174d8b6/test/cctest/parsing/test-preparser.cc

Labels: -reward-topanel -Security_Severity-High Security_Severity-Low reward-0
The VRP panel looked at this and concluded that it very likely doesn't lead to  memory corruption. If execution gets past this DCHECK, it hits another DCHECK later as not everything has been parsed, but if that is also removed there's still no crash.
Project Member

Comment 12 by sheriffbot@chromium.org, Feb 8 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 13 by sheriffbot@chromium.org, Apr 26 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 14 by sheriffbot@chromium.org, Jul 28

Labels: -Pri-1 Pri-2

Sign in to add a comment