New issue
Advanced search Search tips

Issue 869735 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Aug 6
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

DCHECK failure in InOldSpace(object) || InNewSpace(object) || (lo_space()->Contains(object) && obj

Project Member Reported by ClusterFuzz, Aug 1

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4754870394159104

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  InOldSpace(object) || InNewSpace(object) || (lo_space()->Contains(object) && obj
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=49981:49982

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4754870394159104

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Aug 1

Labels: Test-Predator-Auto-Owner
Owner: jarin@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/1da91b838989cebaca89d7826df23a067bae077a (Reland "[deoptimizer] Staged materialization of objects.").

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 2 by sheriffbot@chromium.org, Aug 1

Labels: Pri-1
Labels: Security_Impact-Head M-70
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 4

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by bugdroid1@chromium.org, Aug 6

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a56d7470e2f5d1fca4ef0f5899648816e7bcde10

commit a56d7470e2f5d1fca4ef0f5899648816e7bcde10
Author: Jaroslav Sevcik <jarin@chromium.org>
Date: Mon Aug 06 06:42:35 2018

[heap] Relax NotifyObjectLayoutChange DCHECK to allow ByteArrays changes in LO space

Bug:  chromium:869735 
Change-Id: I65c4a1b92e1e0874eabff14e9cf6f5b56dc8d43a
Reviewed-on: https://chromium-review.googlesource.com/1158065
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54909}
[modify] https://crrev.com/a56d7470e2f5d1fca4ef0f5899648816e7bcde10/src/heap/heap.cc
[add] https://crrev.com/a56d7470e2f5d1fca4ef0f5899648816e7bcde10/test/mjsunit/regress/regress-869735.js

Labels: -Security_Impact-Head -Security_Severity-High -ReleaseBlock-Stable
Status: Fixed (was: Assigned)
This is just a too strict assertion, not a security bug.
Project Member

Comment 7 by ClusterFuzz, Aug 6

ClusterFuzz has detected this issue as fixed in range 54908:54909.

Detailed report: https://clusterfuzz.com/testcase?key=4754870394159104

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  InOldSpace(object) || InNewSpace(object) || (lo_space()->Contains(object) && obj
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=49981:49982
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=54908:54909

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4754870394159104

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Aug 6

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 4754870394159104 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 9 by sheriffbot@chromium.org, Aug 6

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -Type-Bug-Security -Pri-1 Pri-2 Type-Bug
Right. This is just a too strict assertion, not a security bug.  Setting type to "bug".

Project Member

Comment 11 by sheriffbot@chromium.org, Nov 12

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment