New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 822669 link

Starred by 1 user
Status: Verified
Owner:
eholk@chromium.org
Last visit > 30 days ago
Closed: Mar 2018
Cc:
gdeepti@chromium.org
Components:
EstimatedDays: ----
NextAction: 2018-03-27
OS: Linux , Chrome , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Ill in v8::internal::JSArrayBuffer::Neuter

Project Member Reported by ClusterFuzz, Mar 16 2018 
Detailed report: https://clusterfuzz.com/testcase?key=6610645202763776

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Ill
Crash Address: 0x558aeefb8448
Crash State:
  v8::internal::JSArrayBuffer::Neuter
  v8::ArrayBuffer::Neuter
  blink::DOMArrayBuffer::Transfer
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=542736:542738

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6610645202763776

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Mar 16 2018

Labels: OS-Chrome OS-Mac
Project Member

Comment 2 by ClusterFuzz, Mar 16 2018

Components: Blink>JavaScript
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 3 by ClusterFuzz, Mar 16 2018

Labels: Test-Predator-Auto-Owner
Owner: eholk@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/e4402ed0bce568fbef7ee4bf8cd8ca47b62e4445 (Ensure ArrayBuffers are not neutered twice).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 4 by eholk@chromium.org, Mar 16 2018

Cc: gdeepti@chromium.org
Deepti - Clusterfuzz found a place where ArrayBuffers get neutered twice in Chrome! I'll investigate this today.

Comment 5 by eholk@chromium.org, Mar 16 2018

NextAction: 2018-03-27
This issue is ultimately due to a spec inconsistency: https://github.com/tc39/ecma262/issues/1024

It's slated to be discussed at the TC39 meeting next week. Because this is a safe crash (CHECK, rather than some rogue memory access), I think we should wait and see what the outcome of TC39 is and then fix it according to the spec.
Project Member

Comment 6 by ClusterFuzz, Mar 17 2018 

ClusterFuzz has detected this issue as fixed in range 543641:543642.

Detailed report: https://clusterfuzz.com/testcase?key=6610645202763776

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Ill
Crash Address: 0x558aeefb8448
Crash State:
  v8::internal::JSArrayBuffer::Neuter
  v8::ArrayBuffer::Neuter
  blink::DOMArrayBuffer::Transfer
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=542736:542738
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=543641:543642

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6610645202763776

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Mar 17 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6610645202763776 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 8 by monor...@bugs.chromium.org, Mar 27 2018 

The NextAction date has arrived: 2018-03-27

Sign in to add a comment