New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 812451 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in /build/eglibc-ripdx6/eglibc-NUMBER/string/../sysdeps/x86_64/multiarch/memcpy-sse

Project Member Reported by ClusterFuzz, Feb 15 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5431736524341248

Fuzzer: mbarbella_js_mutation
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x35db2f626fe8
Crash State:
  /build/eglibc-ripdx6/eglibc-NUMBER/string/../sysdeps/x86_64/multiarch/memcpy-sse
  MemCopy
  CopyWords<v8::internal::Object
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=51296:51297

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5431736524341248

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Feb 15 2018

Components: Blink>JavaScript>GC
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Feb 15 2018

Labels: Test-Predator-Auto-Owner
Owner: neis@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/af677f29b1b7c0286b423c4e745303ed51de88e9 ([ic] EmitElementStore: don't miss when hitting new space limit.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by neis@chromium.org, Feb 15 2018

Status: Fixed (was: Assigned)
CL was reverted.
Project Member

Comment 4 by bugdroid1@chromium.org, Feb 15 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a50bc8ac8dc018f253a702bf742b9861111c0b3d

commit a50bc8ac8dc018f253a702bf742b9861111c0b3d
Author: Georg Neis <neis@chromium.org>
Date: Thu Feb 15 12:27:18 2018

Reland "[ic] EmitElementStore: don't miss when hitting new space limit."

This is a reland of af677f29b1b7c0286b423c4e745303ed51de88e9, fixing
an issue with negative indices.

Original change's description:
> [ic] EmitElementStore: don't miss when hitting new space limit.
>
> CSA::EmitElementStore used to bail out (IC miss) via
> CSA::CheckForCapacityGrow when the capacity hits the new space
> limit, causing the store IC to go megamorphic in my example (see
> referenced bug). With this CL, we do what TF'ed code does already:
> call into Runtime::kGrowArrayElements (in this situation), thus
> staying monomorphic.
>
> Here's a contrived test case:
>
> ////////////////////////
> let x = [];
>
> function bar() {
>   for (let i = 0; i < 50000; ++i) x[i] = i;
> }
>
> function foo() {
>   for (let i = x.length; i < 100e6; ++i) x[i] = i;
> }
>
> bar();
> foo();
> ////////////////////////
>
> This took about 4s on my machine, now it takes 3s.
>
> Bug:  v8:7447 
> Change-Id: I7f268fc55835f363d250613ce0357444a663051c
> Reviewed-on: https://chromium-review.googlesource.com/918723
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51297}

Bug:  v8:7447 ,  chromium:812451 
Change-Id: I345b5e5b2437c4f50e42bbd87947630f24cd95eb
Reviewed-on: https://chromium-review.googlesource.com/921201
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51311}
[modify] https://crrev.com/a50bc8ac8dc018f253a702bf742b9861111c0b3d/src/code-stub-assembler.cc
[modify] https://crrev.com/a50bc8ac8dc018f253a702bf742b9861111c0b3d/src/runtime/runtime-array.cc
[add] https://crrev.com/a50bc8ac8dc018f253a702bf742b9861111c0b3d/test/mjsunit/regress/regress-812451.js

Project Member

Comment 5 by ClusterFuzz, Feb 15 2018

Labels: OS-Windows
Project Member

Comment 6 by sheriffbot@chromium.org, Feb 15 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 7 by ClusterFuzz, Feb 16 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6216512596344832 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 8 by ClusterFuzz, Feb 16 2018

ClusterFuzz has detected this issue as fixed in range 51305:51306.

Detailed report: https://clusterfuzz.com/testcase?key=5431736524341248

Fuzzer: mbarbella_js_mutation
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x35db2f626fe8
Crash State:
  /build/eglibc-ripdx6/eglibc-NUMBER/string/../sysdeps/x86_64/multiarch/memcpy-sse
  MemCopy
  CopyWords<v8::internal::Object
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=51296:51297
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=51305:51306

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5431736524341248

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Labels: Security_Impact-Head
Project Member

Comment 10 by sheriffbot@chromium.org, May 24 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 11 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

Sign in to add a comment