New issue
Advanced search Search tips

Issue 804801 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

CHECK failure: Type cast failed in CAST(add_func) at ../../src/builtins/builtins-collections-ge

Project Member Reported by ClusterFuzz, Jan 23 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6214676143931392

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Type cast failed in CAST(add_func) at ../../src/builtins/builtins-collections-ge
  v8::internal::CheckObjectType
  Call
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50690:50691

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6214676143931392

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jan 23 2018

Components: Blink>JavaScript>Compiler
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jan 23 2018

Cc: peter.wm...@gmail.com
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

[builtins] Re-enable Set and WeakSet constructor fast path. by peter.wm.wong@gmail.com - https://chromium.googlesource.com/v8/v8/+/9c5053bf4d2f2ebc4973f51ff46a0b93b95d154d

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 23 2018

Labels: Pri-1
Cc: cbruni@chromium.org jgruber@chromium.org
Labels: Security_Impact-Head M-65
Owner: hpayer@chromium.org
Status: Assigned (was: Untriaged)
-> hpayer@ to triage and reassign
Cc: -jgruber@chromium.org
Owner: jgruber@chromium.org
Peter, PTAL. Repro:

(function () {
    switch (typeof value) {
    }
  assertEquals = function assertEquals() {
  };
})();
var helpers = function helpers() {
  return {
    getDummyObject: function getDummyObject() {
    }
  };
}();
var assert = function assert() {
  return {
    areEqual: function areEqual() {
    },
    doesNotThrow: function doesNotThrow(testFunction) {
        testFunction()
    }
  };
}();
let __v_12507 = assertEquals.bind();
function __f_3330() {
    __v_12543 = new Set([])
}
  Object.defineProperty(Set.prototype, "add", {
    get: function () {
      return (
        __v_12507
      );
    }
  });
  assert.doesNotThrow(__f_3330);
Peter, fyi I ended up doing a quick fix myself. In-flight at https://crrev.com/c/883121
Status: Fixed (was: Assigned)
No backmerges necessary, this only affects cast type-checks.
Labels: -Security_Severity-High Security_Severity-Low
Project Member

Comment 9 by bugdroid1@chromium.org, Jan 24 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c0a6e85153f148f051b6e3d90de8a3f1bf59fc69

commit c0a6e85153f148f051b6e3d90de8a3f1bf59fc69
Author: jgruber <jgruber@chromium.org>
Date: Wed Jan 24 09:49:14 2018

[builtins] Allow bound function / proxy `add` in collection ctors

Bug:  chromium:804801 
Change-Id: I2d54e98df09b0ed5ccfcddd0815ad162641e03d6
Reviewed-on: https://chromium-review.googlesource.com/883121
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50827}
[modify] https://crrev.com/c0a6e85153f148f051b6e3d90de8a3f1bf59fc69/src/builtins/builtins-collections-gen.cc
[add] https://crrev.com/c0a6e85153f148f051b6e3d90de8a3f1bf59fc69/test/mjsunit/regress/regress-804801.js

Project Member

Comment 10 by ClusterFuzz, Jan 25 2018

ClusterFuzz has detected this issue as fixed in range 50826:50827.

Detailed report: https://clusterfuzz.com/testcase?key=6214676143931392

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Type cast failed in CAST(add_func) at ../../src/builtins/builtins-collections-ge
  v8::internal::CheckObjectType
  Call
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50690:50691
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50826:50827

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6214676143931392

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 11 by ClusterFuzz, Jan 25 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6214676143931392 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 12 by sheriffbot@chromium.org, Feb 8 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 13 by sheriffbot@chromium.org, Mar 27 2018

Labels: -Security_Impact-Head Security_Impact-Stable
Project Member

Comment 14 by sheriffbot@chromium.org, May 2 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 15 by sheriffbot@chromium.org, Jul 28

Labels: -Pri-1 Pri-2

Sign in to add a comment