New issue
Advanced search Search tips

Issue 833489 link

Starred by 3 users

Issue metadata

Status: Verified
Owner:
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in chrome

Project Member Reported by ClusterFuzz, Apr 16 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5917773470105600

Fuzzer: v8_builtins_generator
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  chrome
  blink::DOMArrayBufferView::BaseAddress
  blink::FontFace::Create
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=547217:547257

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5917773470105600

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Apr 16 2018

Components: Blink>CSS
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Apr 16 2018

Cc: thomasanderson@chromium.org schenney@chromium.org mek@chromium.org
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

Fix background position within table cells by schenney@chromium.org - https://chromium.googlesource.com/chromium/src/+/aa9a6d779bcad148ce3c128bc991a335382cc550

Replace Arial with Arimo GCS font by thomasanderson@chromium.org - https://chromium.googlesource.com/chromium/src/+/0891f61da2a1da09fb8622dae3cc4f4dddf92f59

[XHR] Replace usage of download_to_file with new download_to_blob feature. by mek@chromium.org - https://chromium.googlesource.com/chromium/src/+/090b1a4fea8bd71d2bd5e3503d3397985ad58022

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
Cc: -thomasanderson@chromium.org -schenney@chromium.org -mek@chromium.org
Owner: jkummerow@chromium.org
Status: Assigned (was: Untriaged)
Probably caused by 
https://chromium.googlesource.com/v8/v8/+/b7e984c505d407847cd192b018925af80de17630

Over to jkummerow@ for further investigation.  Minimized testcase is:
<script>
 v1 = new BigInt64Array() 
var v11 = eval();
 v46 = new FontFace(v11, v1); 
</script>

Components: -Blink>CSS Blink>JavaScript Blink>Fonts
Project Member

Comment 5 by bugdroid1@chromium.org, Apr 18 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e7a16d44e33e3b57f25e218b19a6e16d2adbaded

commit e7a16d44e33e3b57f25e218b19a6e16d2adbaded
Author: Jakob Kummerow <jkummerow@chromium.org>
Date: Wed Apr 18 04:11:03 2018

[blink] Add Big{Int,Uint}64Array definitions

These are being added to the existing set of TypedArrays as part of
the BigInt proposal: https://tc39.github.io/proposal-bigint/
V8 implements and ships them already.

Bug:  v8:6791 ,  chromium:833489 
Change-Id: I77b8620b5818efe94ecf47ecd17fbdb9124cd426
Reviewed-on: https://chromium-review.googlesource.com/1014670
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#551577}
[modify] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/manual_tests/typed-array-memory.html
[modify] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/renderer/bindings/scripts/v8_interface.py
[modify] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/renderer/bindings/scripts/v8_types.py
[modify] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/renderer/bindings/templates/interface.cpp.tmpl
[modify] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/renderer/bindings/tests/results/core/v8_array_buffer_view.cc
[modify] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/renderer/core/core_idl_files.gni
[add] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/renderer/core/typed_arrays/big_int_64_array.idl
[add] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/renderer/core/typed_arrays/big_uint_64_array.idl
[modify] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/renderer/core/typed_arrays/dom_typed_array.cc
[modify] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/renderer/core/typed_arrays/dom_typed_array.h
[modify] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/renderer/platform/wtf/BUILD.gn
[modify] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/renderer/platform/wtf/forward.h
[modify] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/renderer/platform/wtf/typed_arrays/array_buffer_view.cc
[modify] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/renderer/platform/wtf/typed_arrays/array_buffer_view.h
[add] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/renderer/platform/wtf/typed_arrays/bigint64_array.h
[add] https://crrev.com/e7a16d44e33e3b57f25e218b19a6e16d2adbaded/third_party/blink/renderer/platform/wtf/typed_arrays/biguint64_array.h

Project Member

Comment 6 by ClusterFuzz, Apr 18 2018

ClusterFuzz has detected this issue as fixed in range 551563:551581.

Detailed report: https://clusterfuzz.com/testcase?key=5917773470105600

Fuzzer: v8_builtins_generator
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  chrome
  blink::DOMArrayBufferView::BaseAddress
  blink::FontFace::Create
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=547217:547257
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=551563:551581

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5917773470105600

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Apr 18 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5917773470105600 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Cc: hablich@chromium.org
Labels: Merge-Request-67
Per email discussion, requesting backmerge of #5 to M67 to fix this crash. 

Note that crrev.com/55110038a121062f514374eaaed946547f0efed1 must be backmerged to V8's 6.7 branch first (requested separately).
Labels: -Merge-Request-67 Merge-Approved-67
Pls merge your change to M67 branch 3396 ASAP so we can pick it up for next M67 Dev/Beta release. Thank you.
Project Member

Comment 11 by bugdroid1@chromium.org, Apr 27 2018

Labels: -merge-approved-67 merge-merged-3396
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d

commit ebdf02dfafdbba64355dda558cc5e4bfb33dc40d
Author: Jakob Kummerow <jkummerow@chromium.org>
Date: Fri Apr 27 21:23:26 2018

[blink] Add Big{Int,Uint}64Array definitions

These are being added to the existing set of TypedArrays as part of
the BigInt proposal: https://tc39.github.io/proposal-bigint/
V8 implements and ships them already.

Bug:  v8:6791 ,  chromium:833489 
Change-Id: I77b8620b5818efe94ecf47ecd17fbdb9124cd426
Reviewed-on: https://chromium-review.googlesource.com/1014670
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#551577}(cherry picked from commit e7a16d44e33e3b57f25e218b19a6e16d2adbaded)
Reviewed-on: https://chromium-review.googlesource.com/1033793
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/branch-heads/3396@{#359}
Cr-Branched-From: 9ef2aa869bc7bc0c089e255d698cca6e47d6b038-refs/heads/master@{#550428}
[modify] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/manual_tests/typed-array-memory.html
[modify] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/renderer/bindings/scripts/v8_interface.py
[modify] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/renderer/bindings/scripts/v8_types.py
[modify] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/renderer/bindings/templates/interface.cpp.tmpl
[modify] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/renderer/bindings/tests/results/core/v8_array_buffer_view.cc
[modify] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/renderer/core/core_idl_files.gni
[add] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/renderer/core/typed_arrays/big_int_64_array.idl
[add] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/renderer/core/typed_arrays/big_uint_64_array.idl
[modify] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/renderer/core/typed_arrays/dom_typed_array.cc
[modify] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/renderer/core/typed_arrays/dom_typed_array.h
[modify] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/renderer/platform/wtf/BUILD.gn
[modify] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/renderer/platform/wtf/forward.h
[modify] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/renderer/platform/wtf/typed_arrays/array_buffer_view.cc
[modify] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/renderer/platform/wtf/typed_arrays/array_buffer_view.h
[add] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/renderer/platform/wtf/typed_arrays/bigint64_array.h
[add] https://crrev.com/ebdf02dfafdbba64355dda558cc5e4bfb33dc40d/third_party/blink/renderer/platform/wtf/typed_arrays/biguint64_array.h

Sign in to add a comment