New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 876696 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Aug 24
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

DCHECK failure in kSmiValueSize < layout_descriptor_length in layout-descriptor.cc

Project Member Reported by ClusterFuzz, Aug 22

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5767277283377152

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  kSmiValueSize < layout_descriptor_length in layout-descriptor.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=55268:55269

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5767277283377152

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Aug 22

Labels: Test-Predator-Auto-Owner
Owner: ishell@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/bf1e47e6ff10734045b2d6a501da49d20980f742 ([ptr-compr] Switch Smis to 31-bit on 64-bit platforms.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 2 by sheriffbot@chromium.org, Aug 22

Labels: Pri-1
From the fail site: https://cs.chromium.org/chromium/src/v8/src/layout-descriptor.cc?l=244&rcl=0c05bf73b422ca9c849cec08fa23cf4589b0b508 :

  // It must not become fast-mode descriptor here, because otherwise it has to
  // be fast pointer layout descriptor already but it's is slow mode now.
  DCHECK_LT(kSmiValueSize, layout_descriptor_length);

I don't see any reason to believe that this would cause a security problem so currently thinking of SecurityImpactNone.

ishell@ -- can you please comment on what would have happened in the absence of this DCHECK? 
This DCHECK should be updated for the 31-bit Smis: https://chromium-review.googlesource.com/c/v8/v8/+/1185186
Labels: Security_Impact-None
Security_Impact-None, based on #c4 and the CL.
Labels: M-70
Project Member

Comment 7 by ClusterFuzz, Aug 24

ClusterFuzz has detected this issue as fixed in range 55332:55333.

Detailed report: https://clusterfuzz.com/testcase?key=5767277283377152

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  kSmiValueSize < layout_descriptor_length in layout-descriptor.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=55268:55269
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=55332:55333

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5767277283377152

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Aug 24

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5767277283377152 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 9 by bugdroid1@chromium.org, Aug 24

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/57c8c85b9f06d4be03ce3c12d1b286b8f2245030

commit 57c8c85b9f06d4be03ce3c12d1b286b8f2245030
Author: Igor Sheludko <ishell@chromium.org>
Date: Fri Aug 24 09:17:36 2018

[ptr-compr] Fix assert in LayoutDescriptor which failed with 31-bit Smis.

Bug: v8:7703,  chromium:876696 
Change-Id: Ida3243414215b2ef75a9875ca31cf5a68274f7e0
Reviewed-on: https://chromium-review.googlesource.com/1185186
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55383}
[modify] https://crrev.com/57c8c85b9f06d4be03ce3c12d1b286b8f2245030/src/layout-descriptor.cc

Project Member

Comment 10 by sheriffbot@chromium.org, Aug 24

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 11 Deleted

@awhalley I don't see the duped bug here. When did the internal fuzzers find this?
Labels: -reward-0 reward-topanel
Sorry, double checking - had some automation hiccups.
Labels: -reward-topanel reward-0
Hi decoder.oh@ - pardon the previous confusion.

The VRP panel did, however, decline to reward as the bug was just in the DCHECK itself, so there was no actual security impact.
Project Member

Comment 15 by sheriffbot@chromium.org, Nov 30

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment