New issue
Advanced search Search tips

Issue 886917 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Sep 20
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

crash in arrayslice function

Reported by yngwe...@gmail.com, Sep 19

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

Steps to reproduce the problem:
1. open chrome browser,"./chrome"
2. drag poc.html.
3. get crash.

I don't understand what is really going on

What is the expected behavior?

What went wrong?
I reproduce it in 6.3.292.48 v8 and the 69.0.3497.100 chrome
v8 windbg stack backtrace:
 # Child-SP          RetAddr           Call Site
00 00000039`6abfd6a8 00007ff7`2b673aa1 0x0
01 00000039`6abfd6b0 00007ff7`2b08e7f0 d8_exe!v8::base::OS::Abort+0x11 [d:\work\browser\chrome\v8-otherversion\v8\src\base\platform\platform-win32.cc @ 879] 
02 00000039`6abfd6e0 00007ff7`2b082194 d8_exe!v8::Utils::ReportOOMFailure+0xa0 [d:\work\browser\chrome\v8-otherversion\v8\src\api.cc @ 427] 
03 00000039`6abfd710 00007ff7`2b2e80b8 d8_exe!v8::internal::V8::FatalProcessOutOfMemory+0x244 [d:\work\browser\chrome\v8-otherversion\v8\src\api.cc @ 400] 
04 00000039`6abfed00 00007ff7`2b2ea5de d8_exe!v8::internal::Factory::NewFixedDoubleArray+0x198 [d:\work\browser\chrome\v8-otherversion\v8\src\factory.cc @ 259] 
05 00000039`6abfed60 00007ff7`2b2ea18d d8_exe!v8::internal::Factory::NewJSArrayStorage+0x12e [d:\work\browser\chrome\v8-otherversion\v8\src\factory.cc @ 2029] 
06 00000039`6abfede0 00007ff7`2b2d3897 d8_exe!v8::internal::Factory::NewJSArray+0x3d [d:\work\browser\chrome\v8-otherversion\v8\src\factory.cc @ 1995] 
07 (Inline Function) --------`-------- d8_exe!v8::internal::`anonymous-namespace'::FastElementsAccessor<v8::internal::`anonymous namespace'::FastHoleyDoubleElementsAccessor,v8::internal::A0x45f5b220::ElementsKindTraits<5> >::SliceImpl+0x95 [d:\work\browser\chrome\v8-otherversion\v8\src\elements.cc @ 2120] 
08 00000039`6abfee20 00007ff7`2b0df44c d8_exe!v8::internal::`anonymous namespace'::ElementsAccessorBase<v8::internal::`anonymous namespace'::FastHoleyDoubleElementsAccessor,v8::internal::A0x45f5b220::ElementsKindTraits<5> >::Slice+0xa7 [d:\work\browser\chrome\v8-otherversion\v8\src\elements.cc @ 702] 
09 00000039`6abfee80 00007ff7`2b0de76b d8_exe!v8::internal::Builtin_Impl_ArraySlice+0x37c [d:\work\browser\chrome\v8-otherversion\v8\src\builtins\builtins-array.cc @ 330] 
0a 00000039`6abfef50 000001e0`12687421 d8_exe!v8::internal::Builtin_ArraySlice+0x3b [d:\work\browser\chrome\v8-otherversion\v8\src\builtins\builtins-array.cc @ 264] 
0b 00000039`6abfef90 000003c5`8e3aa1b8 0x000001e0`12687421
0c 00000039`6abfef98 00000039`6abfefe8 0x000003c5`8e3aa1b8
0d 00000039`6abfefa0 000003c5`8e3a2201 0x00000039`6abfefe8
0e 00000039`6abfefa8 00000000`01000000 0x000003c5`8e3a2201
0f 00000039`6abfefb0 00000000`00000018 0x1000000
10 00000039`6abfefb8 000003ab`3b2846c1 0x18
11 00000039`6abfefc0 00000001`00000000 0x000003ab`3b2846c1
12 00000039`6abfefc8 000001e0`12687361 0x00000001`00000000
13 00000039`6abfefd0 00000039`6abfef90 0x000001e0`12687361
14 00000039`6abfefd8 00000000`00000024 0x00000039`6abfef90
15 00000039`6abfefe0 00000039`6abff098 0x24
16 00000039`6abfefe8 000001e0`12773234 0x00000039`6abff098
17 00000039`6abfeff0 000000ff`97d822e1 0x000001e0`12773234
18 00000039`6abfeff8 000002da`83987a59 0x000000ff`97d822e1
19 00000039`6abff000 00000006`00000000 0x000002da`83987a59
1a 00000039`6abff008 00010000`00000000 0x00000006`00000000
1b 00000039`6abff010 00000000`00000000 0x00010000`00000000

Did this work before? N/A 

Chrome version: 69.0.3497.100  Channel: stable
OS Version: 10.0
Flash Version:
 
poc.html
1.3 KB View Download
Components: Blink>JavaScript
Project Member

Comment 2 by ClusterFuzz, Sep 19

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6243631525265408.
Project Member

Comment 3 by ClusterFuzz, Sep 19

Testcase 6243631525265408 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=6243631525265408.
Status: WontFix (was: Unconfirmed)
Looks like an out of memory, so I'm assuming there's not much we could do here.
Project Member

Comment 5 by sheriffbot@chromium.org, Dec 28

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment