New issue
Advanced search Search tips

Issue 816317 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

DCHECK failure in source->length_value() <= destination->length_value() - offset in elements.cc

Project Member Reported by ClusterFuzz, Feb 25 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6464453944803328

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  source->length_value() <= destination->length_value() - offset in elements.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=51376:51377

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6464453944803328

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Feb 25 2018

Labels: Test-Predator-Auto-Owner
Owner: petermarshall@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/81a3742a889db5db034b8345683cef49e95095ee ([typedarray] Port TypedArray.from to CSA.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Cc: jgruber@chromium.org
Labels: -Security_Severity-High Security_Severity-Low Pri-1
Status: Started (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, Feb 26 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ec5c342798c6e88506614db5401f2a1eec771c93

commit ec5c342798c6e88506614db5401f2a1eec771c93
Author: Peter Marshall <petermarshall@chromium.org>
Date: Mon Feb 26 13:42:23 2018

[typedarray] Fix failing DCHECK for TA.from with a length getter.

I loosened the DCHECKs here but I think they are still fundamentally
safe: `length` must be <= the actual length of the source (so that
there are actually enough elements to copy), and `length` must also be
<= the destination length, minus the offset (so there is enough space
to copy the elements into).

Bug:  chromium:816317 
Change-Id: Ice00ac60f4884363f6065ffee71f6ab1d1b32dbc
Reviewed-on: https://chromium-review.googlesource.com/937209
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51566}
[modify] https://crrev.com/ec5c342798c6e88506614db5401f2a1eec771c93/src/elements.cc
[add] https://crrev.com/ec5c342798c6e88506614db5401f2a1eec771c93/test/mjsunit/regress/regress-816317.js

Project Member

Comment 5 by sheriffbot@chromium.org, Feb 26 2018

Labels: -Pri-1 Pri-2
Project Member

Comment 6 by ClusterFuzz, Feb 27 2018

ClusterFuzz has detected this issue as fixed in range 51565:51566.

Detailed report: https://clusterfuzz.com/testcase?key=6464453944803328

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  source->length_value() <= destination->length_value() - offset in elements.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=51376:51377
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=51565:51566

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6464453944803328

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Feb 27 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 6464453944803328 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 8 by sheriffbot@chromium.org, Feb 27 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 9 by sheriffbot@chromium.org, Jun 5 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment