New issue
Advanced search Search tips

Issue 820596 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Mar 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

DCHECK failure in static_cast<unsigned>(length_) > static_cast<unsigned>(i) in zone.h

Project Member Reported by ClusterFuzz, Mar 9 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5196296164737024

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  static_cast<unsigned>(length_) > static_cast<unsigned>(i) in zone.h
  v8::internal::ZoneList<v8::internal::Expression*>::operator
  at
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=51852:51853

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5196296164737024

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Mar 9 2018

Components: Blink>JavaScript>Language
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Mar 9 2018

Labels: Test-Predator-Auto-Owner
Owner: ca...@igalia.com
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/8ae19e08b165ef79bc4bca27cc6aae96c27e6d8f ([esnext] re-implement template strings).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 10 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/0802e2b26238b644c42f89f48c9eea4862221f02

commit 0802e2b26238b644c42f89f48c9eea4862221f02
Author: Caitlin Potter <caitp@igalia.com>
Date: Sat Mar 10 01:13:50 2018

[esnext] fix OOB read in ASTPrinter::VisistTemplateLiteral

Fixes an error where TemplateLiteral printing in --print-ast
would try to read an element beyond the length of a vector.

BUG=v8:7415,  chromium:820596 
R=adamk@chromium.org, gsathya@chromium.org

Change-Id: Idf9e0da8c165ee62bc1a348a91c2ed5ed798404a
Reviewed-on: https://chromium-review.googlesource.com/957883
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#51857}
[modify] https://crrev.com/0802e2b26238b644c42f89f48c9eea4862221f02/src/ast/prettyprinter.cc
[add] https://crrev.com/0802e2b26238b644c42f89f48c9eea4862221f02/test/mjsunit/es6/regress/regress-crbug-820596.js

Project Member

Comment 4 by ClusterFuzz, Mar 10 2018

ClusterFuzz has detected this issue as fixed in range 51856:51857.

Detailed report: https://clusterfuzz.com/testcase?key=5196296164737024

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  static_cast<unsigned>(length_) > static_cast<unsigned>(i) in zone.h
  v8::internal::ZoneList<v8::internal::Expression*>::operator
  at
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=51852:51853
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=51856:51857

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5196296164737024

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Mar 10 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5196296164737024 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 6 by ClusterFuzz, Mar 10 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5196296164737024 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 7 by sheriffbot@chromium.org, Mar 10 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 8 by bugdroid1@chromium.org, Mar 10 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/89204e90bb544ae151fd9e0144b6d4074b8a8548

commit 89204e90bb544ae151fd9e0144b6d4074b8a8548
Author: Michael Achenbach <machenbach@chromium.org>
Date: Sat Mar 10 16:44:20 2018

Revert "[esnext] fix OOB read in ASTPrinter::VisistTemplateLiteral"

This reverts commit 0802e2b26238b644c42f89f48c9eea4862221f02.

Reason for revert: For reverting https://crrev.com/c/945408

Original change's description:
> [esnext] fix OOB read in ASTPrinter::VisistTemplateLiteral
> 
> Fixes an error where TemplateLiteral printing in --print-ast
> would try to read an element beyond the length of a vector.
> 
> BUG=v8:7415,  chromium:820596 
> R=​adamk@chromium.org, gsathya@chromium.org
> 
> Change-Id: Idf9e0da8c165ee62bc1a348a91c2ed5ed798404a
> Reviewed-on: https://chromium-review.googlesource.com/957883
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Caitlin Potter <caitp@igalia.com>
> Cr-Commit-Position: refs/heads/master@{#51857}

TBR=adamk@chromium.org,gsathya@chromium.org,caitp@igalia.com

Change-Id: I5fe950cd823ae350b5f6c09227a62aef9dc2a008
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7415,  chromium:820596 
Reviewed-on: https://chromium-review.googlesource.com/957724
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51861}
[modify] https://crrev.com/89204e90bb544ae151fd9e0144b6d4074b8a8548/src/ast/prettyprinter.cc
[delete] https://crrev.com/4cb681e7d166a6fe54a38a33b9a83cf202002d3b/test/mjsunit/es6/regress/regress-crbug-820596.js

Project Member

Comment 9 by bugdroid1@chromium.org, Mar 14 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b8229612bf0df54289ca422ab60c9fec9b19021d

commit b8229612bf0df54289ca422ab60c9fec9b19021d
Author: Caitlin Potter <caitp@igalia.com>
Date: Wed Mar 14 18:12:09 2018

Reland "[esnext] re-implement template strings"

- Add a new bytecode for the ToString operation, replacing the old
intrinsic call (currently does not collect type feedback).
- Add a new AST node to represent TemplateLiterals, and avoid
generating unnecessary ToString operations in some simple cases.
- Use a single feedback slot for each string addition, because the
type feedback should always be the same for each addition

This seems to produce a very slight improvement on JSTests benchmarks
and bench-ruben.js from v8:7415, and it's possible that type feedback
for the ToString bytecode could provide more opportunities to eliminate
the runtime call in TurboFan.

Doesn't touch tagged templates

[esnext] fix OOB read in ASTPrinter::VisistTemplateLiteral

Fixes an error where TemplateLiteral printing in --print-ast
would try to read an element beyond the length of a vector.

BUG=v8:7415,  chromium:820596 
R=adamk@chromium.org, gsathya@chromum.org, rmcilroy@chromium.org, ishell@chromium.org, bmeurer@chromium.org

Change-Id: Ie56894f73a6445550a5f95f42160c4e29ab1da42
Reviewed-on: https://chromium-review.googlesource.com/958408
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#51933}
[modify] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/src/ast/ast-traversal-visitor.h
[modify] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/src/ast/ast.h
[modify] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/src/ast/prettyprinter.cc
[modify] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/src/compiler/bytecode-graph-builder.cc
[modify] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/src/debug/debug-evaluate.cc
[modify] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/src/interpreter/bytecode-array-builder.cc
[modify] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/src/interpreter/bytecode-array-builder.h
[modify] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/src/interpreter/bytecode-generator.cc
[modify] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/src/interpreter/bytecode-generator.h
[modify] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/src/interpreter/bytecodes.h
[modify] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/src/interpreter/interpreter-generator.cc
[modify] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/src/parsing/parser.cc
[modify] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/src/parsing/pattern-rewriter.cc
[modify] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/test/cctest/interpreter/bytecode_expectations/TemplateLiterals.golden
[add] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/test/mjsunit/es6/regress/regress-crbug-820596.js
[modify] https://crrev.com/b8229612bf0df54289ca422ab60c9fec9b19021d/test/unittests/interpreter/bytecode-array-builder-unittest.cc

Project Member

Comment 10 by sheriffbot@chromium.org, Jun 16 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 11 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

Sign in to add a comment