New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 819311 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Mar 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

DCHECK failure in op->opcode() == IrOpcode::kStateValues || op->opcode() == IrOpcode::kTypedStateV

Project Member Reported by ClusterFuzz, Mar 6 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6376266153066496

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Stack-buffer-overflow READ 4
Crash Address: 0x7fea45b56c68
Crash State:
  v8::internal::compiler::SparseInputMask::InputIterator::IsReal
  v8::internal::compiler::StateValuesAccess::iterator::operator*
  v8::internal::compiler::JSCreateLowering::AllocateArguments
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=538367:538368

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6376266153066496

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Mar 6 2018

Components: Blink>JavaScript>Compiler
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Mar 6 2018

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4967059264634880.
Reuploaded with a d8 job for a narrower regression range.
Cc: lokihardt@google.com
Project Member

Comment 5 by ClusterFuzz, Mar 6 2018

Summary: DCHECK failure in op->opcode() == IrOpcode::kStateValues || op->opcode() == IrOpcode::kTypedStateV (was: Stack-buffer-overflow in v8::internal::compiler::SparseInputMask::InputIterator::IsReal)
Detailed report: https://clusterfuzz.com/testcase?key=4967059264634880

Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  op->opcode() == IrOpcode::kStateValues || op->opcode() == IrOpcode::kTypedStateV
  v8::internal::compiler::SparseInputMaskOf
  v8::internal::compiler::StateValuesAccess::iterator::iterator
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=51425:51426

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4967059264634880

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 6 by ClusterFuzz, Mar 6 2018

Labels: Test-Predator-Auto-Owner
Owner: sigurds@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/fb0144f6f91ba7028819d6c2d3c00eb508254693 ([turbofan] Move Math.* builtins to JSCallReducer).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 7 by sheriffbot@chromium.org, Mar 7 2018

Labels: M-66
Project Member

Comment 8 by sheriffbot@chromium.org, Mar 7 2018

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by sheriffbot@chromium.org, Mar 7 2018

Labels: Pri-1
Cc: tebbi@chromium.org
@tebbi, could you please take a look, too? Preliminary investigation shows that there is a kDeadValue as input to a FrameState.
This is also happening if the critical comparison is replaced with 

  5 != String.fromCharCode(__v_4)

String.fromCharCode wasn't touched by my CL. I've reuploaded the modfied test-case at 

  https://clusterfuzz.com/v2/testcase-detail/5385707712151552
Project Member

Comment 12 by ClusterFuzz, Mar 7 2018

Detailed report: https://clusterfuzz.com/testcase?key=6219870891671552

Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  op->opcode() == IrOpcode::kStateValues || op->opcode() == IrOpcode::kTypedStateV
  v8::internal::compiler::SparseInputMaskOf
  v8::internal::compiler::StateValuesAccess::iterator::iterator
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6219870891671552

See https://github.com/google/clusterfuzz-tools for more information.
The above repro is not using Math functions.
Further investigation shows that the typer assignes Type::None to a SpeculativeToNumber operation that the transformation introduced by my CL in the regression range introduces.  Type::None causes dead variable elimination to assume the node is dead.
OK here is my understanding of what is happening:

The code contains an application of Math.abs to a function literal, which always deopts.

My CL lowers that Math.abs (or String.fromCharCode, which also expects a number) to a SpeculativeToNumber#228 conversion and the appropriate simplified operator that Math.abs.

Subsequently, the typer figures out that the SpeculativeToNumber can never succeed (as its argument is a function literal) and assignes Type::None. This in turn triggers dead code elimination to turn #228 into dead value, and propagate it down to the first input of FrameState#817.

JSCreateLowering then discovers FrameState#817 and triggers the DCHECK because it does not expect a FrameState to have a dead value input.

What I cannot determine at the moment is why dead code elimination does not propagate kDeadValue further before JSCreateLowering starts reducing.

I'll work with @tebbi to fix this ASAP, but he should lead the investigation.

Comment 16 Deleted

Cc: -tebbi@chromium.org sigurds@chromium.org
Owner: tebbi@chromium.org
The problem is that JSCallReducer runs at the same time as DeadCodeElimination and hence observes an incompletely propagated DeadValue in its FrameState input. Possible solutions are:
  - Abort the reduction in this case, because the call node is going to be eliminated anyway.
  - Do not propagate DeadValue over StateValue nodes.
  - Change the graph reducer to propagate DeadValue with higher priority than any other reducer.

To keep the fix simple, I think I'm going for the first option.
Thanks for looking into this, @tebbi!
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 8 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/221173eaa222a23041f00f02ad9da812d1027e49

commit 221173eaa222a23041f00f02ad9da812d1027e49
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Thu Mar 08 13:42:02 2018

[turbofan] handle DeadValue in JSCreateArguments lowering

JSCallReducer runs at the same time as DeadCodeElimination and hence can observe an incompletely propagated DeadValue in place of a StateValue node holding the arguments to materialize for JSCreateArguments.
This CL fixes this by aborting the lowring of JSCreateArguments in this case.

Bug:  chromium:819311  v8:7536
Change-Id: I42c4a1923e3dbe470db1a16c5069aaa7c38659ac
Reviewed-on: https://chromium-review.googlesource.com/955306
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51808}
[modify] https://crrev.com/221173eaa222a23041f00f02ad9da812d1027e49/src/compiler/js-create-lowering.cc

Project Member

Comment 20 by sheriffbot@chromium.org, Mar 8 2018

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 21 by ClusterFuzz, Mar 9 2018

ClusterFuzz has detected this issue as fixed in range 51807:51808.

Detailed report: https://clusterfuzz.com/testcase?key=4967059264634880

Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  op->opcode() == IrOpcode::kStateValues || op->opcode() == IrOpcode::kTypedStateV
  v8::internal::compiler::SparseInputMaskOf
  v8::internal::compiler::StateValuesAccess::iterator::iterator
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=51425:51426
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=51807:51808

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4967059264634880

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 22 by ClusterFuzz, Mar 10 2018

ClusterFuzz has detected this issue as fixed in range 542098:542101.

Detailed report: https://clusterfuzz.com/testcase?key=6376266153066496

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Stack-buffer-overflow READ 4
Crash Address: 0x7fea45b56c68
Crash State:
  v8::internal::compiler::SparseInputMask::InputIterator::IsReal
  v8::internal::compiler::StateValuesAccess::iterator::operator*
  v8::internal::compiler::JSCreateLowering::AllocateArguments
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=538367:538368
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=542098:542101

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6376266153066496

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 23 by ClusterFuzz, Mar 10 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6376266153066496 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 24 by sheriffbot@chromium.org, Mar 10 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Merge-Request-66
Project Member

Comment 26 by sheriffbot@chromium.org, Mar 28 2018

Labels: -Merge-Request-66 Merge-Review-66 Hotlist-Merge-Review
This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Review-66 Merge-Approved-66
Merge approved: branch:3359
Project Member

Comment 28 by sheriffbot@chromium.org, Apr 2

Cc: awhalley@chromium.org abdulsyed@chromium.org
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 29 by bugdroid1@chromium.org, Apr 3

Labels: merge-merged-6.6
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b812e7f3e230ee562501be4f284a0e8878ed8d97

commit b812e7f3e230ee562501be4f284a0e8878ed8d97
Author: Sigurd Schneider <sigurds@chromium.org>
Date: Tue Apr 03 07:32:55 2018

Version 6.6.346.19 (cherry-pick)

Merged 221173eaa222a23041f00f02ad9da812d1027e49

[turbofan] handle DeadValue in JSCreateArguments lowering

R=jarin@chromium.org

Bug:  chromium:819311 , v8:7536
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I76b1c0d067cca47abb92e2f14b516e6414c6a86a
Reviewed-on: https://chromium-review.googlesource.com/991473
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.6@{#37}
Cr-Branched-From: d500271571b92cb18dcd7b15885b51e8f437d640-refs/heads/6.6.346@{#1}
Cr-Branched-From: 265ef0b635f8761df7c89eb4e8ec9c1a6ebee184-refs/heads/master@{#51624}
[modify] https://crrev.com/b812e7f3e230ee562501be4f284a0e8878ed8d97/include/v8-version.h
[modify] https://crrev.com/b812e7f3e230ee562501be4f284a0e8878ed8d97/src/compiler/js-create-lowering.cc

Labels: -Merge-Approved-66
Labels: -Security_Impact-Beta
Labels: -ReleaseBlock-Stable Security_Impact-Beta
Project Member

Comment 33 by sheriffbot@chromium.org, Jun 16

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment