New issue
Advanced search Search tips

Issue 804288 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

DCHECK failure in IsNativeContext() in contexts-inl.h

Project Member Reported by ClusterFuzz, Jan 22 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5350534159794176

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  IsNativeContext() in contexts-inl.h
  V8_Dcheck
  v8::internal::Context::is_initial_array_prototype
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=50743:50744

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5350534159794176

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jan 22 2018

Labels: Test-Predator-Auto-Owner
Owner: petermarshall@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/096db4f06b83f3c40dee9662b9e870b402516b00 ([typedarray] Port the TypedArray constructor dispatcher to CSA.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Labels: -Security_Severity-High Security_Severity-Low Pri-1
Status: Started (was: Assigned)
Cc: jgruber@chromium.org
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 22 2018

Labels: -Pri-1 Pri-2
Project Member

Comment 5 by bugdroid1@chromium.org, Jan 22 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2cfacb743d2f489e484e50c4d947b66d87abf4c1

commit 2cfacb743d2f489e484e50c4d947b66d87abf4c1
Author: Peter Marshall <petermarshall@chromium.org>
Date: Mon Jan 22 14:27:22 2018

[typedarray] Use native context in elements accessor.

A check will fail if the context passed in is not a native context.
Change the code to get the native context from the passed context.

Bug:  chromium:804288 
Change-Id: Iad314a3dd170355cf524b9230a692a6329564f8a
Reviewed-on: https://chromium-review.googlesource.com/878324
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50761}
[modify] https://crrev.com/2cfacb743d2f489e484e50c4d947b66d87abf4c1/src/elements.cc
[add] https://crrev.com/2cfacb743d2f489e484e50c4d947b66d87abf4c1/test/mjsunit/regress/regress-804288.js

Status: Fixed (was: Started)
Project Member

Comment 7 by ClusterFuzz, Jan 23 2018

ClusterFuzz has detected this issue as fixed in range 50760:50761.

Detailed report: https://clusterfuzz.com/testcase?key=5350534159794176

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  IsNativeContext() in contexts-inl.h
  V8_Dcheck
  v8::internal::Context::is_initial_array_prototype
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=50743:50744
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=50760:50761

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5350534159794176

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Jan 23 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5350534159794176 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 9 by sheriffbot@chromium.org, Feb 8 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 10 by sheriffbot@chromium.org, May 1 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment