New issue
Advanced search Search tips

Issue 887891 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Sep 21
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

CHECK failure: byte_length() <= JSArrayBuffer::kMaxByteLength in objects-debug.cc

Project Member Reported by ClusterFuzz, Sep 21

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6102820754030592

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  byte_length() <= JSArrayBuffer::kMaxByteLength in objects-debug.cc
  v8::internal::JSArrayBufferView::JSArrayBufferViewVerify
  v8::internal::JSTypedArray::JSTypedArrayVerify
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=56007:56008

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6102820754030592

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Sep 21

Labels: Test-Predator-Auto-Owner
Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/5cfe1a6b121ad004ec3d73b137f84f558aac0efd ([es2015] Change JSArrayBufferView::byte_length/byte_offset to uintptr_t.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 2 by bugdroid1@chromium.org, Sep 21

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/129f7701489c4a9dee0bffac8a5d638f35955842

commit 129f7701489c4a9dee0bffac8a5d638f35955842
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Fri Sep 21 12:02:12 2018

[es2015] Setup JSTypedArray after allocating the JSArrayBuffer.

When constructing a TypedArray by length, only actually setup the
JSTypedArray instance once the buffer is allocated, as only at that
time it's known whether the byte length is fine. Otherwise we confuse
the heap verifier.

Bug:  chromium:887891 
Change-Id: I407ff9a2a053dd11ef764e4e32f482abb27eb0a8
Reviewed-on: https://chromium-review.googlesource.com/1238494
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56131}
[modify] https://crrev.com/129f7701489c4a9dee0bffac8a5d638f35955842/src/builtins/builtins-typed-array-gen.cc
[add] https://crrev.com/129f7701489c4a9dee0bffac8a5d638f35955842/test/mjsunit/regress/regress-crbug-887891.js

Status: Fixed (was: Assigned)
Project Member

Comment 4 by sheriffbot@chromium.org, Sep 21

Labels: Pri-1
Project Member

Comment 5 by sheriffbot@chromium.org, Sep 21

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 6 by ClusterFuzz, Sep 22

ClusterFuzz has detected this issue as fixed in range 56130:56131.

Detailed report: https://clusterfuzz.com/testcase?key=6102820754030592

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  byte_length() <= JSArrayBuffer::kMaxByteLength in objects-debug.cc
  v8::internal::JSArrayBufferView::JSArrayBufferViewVerify
  v8::internal::JSTypedArray::JSTypedArrayVerify
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=56007:56008
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=56130:56131

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6102820754030592

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Sep 22

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6102820754030592 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 8 by sheriffbot@chromium.org, Dec 28

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment