Null-dereference READ in context |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5669903749873664 Fuzzer: mbarbella_js_mutation Job Type: linux_ubsan_vptr_d8 Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000027 Crash State: context native_context v8::internal::ClassBoilerplate::BuildClassBoilerplate Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=56592:56593 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5669903749873664 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 24
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f6a8576897807527579fe066c7228ec6fa499fcb commit f6a8576897807527579fe066c7228ec6fa499fcb Author: Ross McIlroy <rmcilroy@chromium.org> Date: Wed Oct 24 16:19:20 2018 [Compile] Remove unecessary class_function_descriptors access. BuildClassBoilerplate accessed the native context to get the class_function_descriptors. Baseline compilation should be native context independent, so we shouldn't access the native context at all. As it happens, class_function_descriptors wasn't used so can just be removed. BUG= chromium:898076 , v8:8041 Change-Id: If9c0edf3dfde68c76ea87820f9d4b080aac6d60e Reviewed-on: https://chromium-review.googlesource.com/c/1298033 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#56958} [modify] https://crrev.com/f6a8576897807527579fe066c7228ec6fa499fcb/src/objects/literal-objects.cc [modify] https://crrev.com/f6a8576897807527579fe066c7228ec6fa499fcb/test/mjsunit/parallel-compile-tasks.js
,
Oct 24
,
Oct 25
ClusterFuzz has detected this issue as fixed in range 56957:56958. Detailed report: https://clusterfuzz.com/testcase?key=5669903749873664 Fuzzer: mbarbella_js_mutation Job Type: linux_ubsan_vptr_d8 Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000027 Crash State: context native_context v8::internal::ClassBoilerplate::BuildClassBoilerplate Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=56592:56593 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=56957:56958 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5669903749873664 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 25
ClusterFuzz testcase 5669903749873664 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 25
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/9cde8808561419beed5e1df2cfd7fc8100a4fec4 commit 9cde8808561419beed5e1df2cfd7fc8100a4fec4 Author: Ross McIlroy <rmcilroy@chromium.org> Date: Thu Oct 25 11:03:33 2018 [Compile] Ensure we don't access the native context during bytecode finalization. Resets the isolate's context to nullptr in debug builds during bytecode finalization to ensure that we don't rely on the native context during context independent unoptimized compilation. BUG= chromium:898076 , v8:8041 Change-Id: Ifaa5006a7a3d31d7fbd535ebb63f8889c75526c4 Reviewed-on: https://chromium-review.googlesource.com/c/1297961 Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#56979} [modify] https://crrev.com/9cde8808561419beed5e1df2cfd7fc8100a4fec4/src/compiler.cc [modify] https://crrev.com/9cde8808561419beed5e1df2cfd7fc8100a4fec4/src/interpreter/bytecode-generator.cc [modify] https://crrev.com/9cde8808561419beed5e1df2cfd7fc8100a4fec4/test/cctest/profiler-extension.cc [modify] https://crrev.com/9cde8808561419beed5e1df2cfd7fc8100a4fec4/test/cctest/test-api.cc [modify] https://crrev.com/9cde8808561419beed5e1df2cfd7fc8100a4fec4/test/cctest/trace-extension.cc
,
Oct 25
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/ef503f0757725251a49a2a9b806191547032e3bb commit ef503f0757725251a49a2a9b806191547032e3bb Author: Michael Achenbach <machenbach@chromium.org> Date: Thu Oct 25 19:45:09 2018 Revert "[Compile] Ensure we don't access the native context during bytecode finalization." This reverts commit 9cde8808561419beed5e1df2cfd7fc8100a4fec4. Reason for revert: https://ci.chromium.org/p/v8/builders/luci.v8.ci/Linux%20V8%20FYI%20Release%20(NVIDIA)/3086 Original change's description: > [Compile] Ensure we don't access the native context during bytecode finalization. > > Resets the isolate's context to nullptr in debug builds during bytecode finalization > to ensure that we don't rely on the native context during context independent > unoptimized compilation. > > BUG= chromium:898076 , v8:8041 > > Change-Id: Ifaa5006a7a3d31d7fbd535ebb63f8889c75526c4 > Reviewed-on: https://chromium-review.googlesource.com/c/1297961 > Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Cr-Commit-Position: refs/heads/master@{#56979} TBR=rmcilroy@chromium.org,mstarzinger@chromium.org,leszeks@chromium.org Change-Id: I363bc9db3f4b89e46ecdaf41c101f7fc1145a325 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:898076 , v8:8041 Reviewed-on: https://chromium-review.googlesource.com/c/1299247 Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#57007} [modify] https://crrev.com/ef503f0757725251a49a2a9b806191547032e3bb/src/compiler.cc [modify] https://crrev.com/ef503f0757725251a49a2a9b806191547032e3bb/src/interpreter/bytecode-generator.cc [modify] https://crrev.com/ef503f0757725251a49a2a9b806191547032e3bb/test/cctest/profiler-extension.cc [modify] https://crrev.com/ef503f0757725251a49a2a9b806191547032e3bb/test/cctest/test-api.cc [modify] https://crrev.com/ef503f0757725251a49a2a9b806191547032e3bb/test/cctest/trace-extension.cc
,
Oct 26
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a9eab1ea936b6adbea095cff6572f269a7352ed3 commit a9eab1ea936b6adbea095cff6572f269a7352ed3 Author: Ross McIlroy <rmcilroy@chromium.org> Date: Fri Oct 26 12:06:48 2018 Avoid accessing context when generating NativeFunctionTemplate in SafeBuiltins. The V8 context shouldn't be accessed when generating context independent code. Convert some string equality operations which require a context to the StringEquals function which does not. BUG= chromium:898076 Change-Id: Ia9a01b27fa9fcfc0c19268a3c862f2174eda7e1d Reviewed-on: https://chromium-review.googlesource.com/c/1301459 Reviewed-by: Jochen Eisinger <jochen@chromium.org> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#603061} [modify] https://crrev.com/a9eab1ea936b6adbea095cff6572f269a7352ed3/extensions/renderer/safe_builtins.cc
,
Oct 26
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/073d0d5ee628307dcdbbb86edb4ce3dd7e9d5676 commit 073d0d5ee628307dcdbbb86edb4ce3dd7e9d5676 Author: Ross McIlroy <rmcilroy@chromium.org> Date: Fri Oct 26 22:33:56 2018 Reland "[Compile] Ensure we don't access the native context during bytecode finalization." This is a reland of 9cde8808561419beed5e1df2cfd7fc8100a4fec4 now the the underlying problem in Chromium is fixed by: https://chromium-review.googlesource.com/c/chromium/src/+/1301459 Original change's description: > [Compile] Ensure we don't access the native context during bytecode finalization. > > Resets the isolate's context to nullptr in debug builds during bytecode finalization > to ensure that we don't rely on the native context during context independent > unoptimized compilation. > > BUG= chromium:898076 , v8:8041 > > Change-Id: Ifaa5006a7a3d31d7fbd535ebb63f8889c75526c4 > Reviewed-on: https://chromium-review.googlesource.com/c/1297961 > Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Cr-Commit-Position: refs/heads/master@{#56979} TBR=leszeks@chromium.org Bug: chromium:898076 , v8:8041 Change-Id: I11904e19e843b0eadab698196ac1ef9c7aeec766 Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel; luci.chromium.try:linux_chromium_dbg_ng Reviewed-on: https://chromium-review.googlesource.com/c/1301480 Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#57048} [modify] https://crrev.com/073d0d5ee628307dcdbbb86edb4ce3dd7e9d5676/src/compiler.cc [modify] https://crrev.com/073d0d5ee628307dcdbbb86edb4ce3dd7e9d5676/src/interpreter/bytecode-generator.cc [modify] https://crrev.com/073d0d5ee628307dcdbbb86edb4ce3dd7e9d5676/test/cctest/profiler-extension.cc [modify] https://crrev.com/073d0d5ee628307dcdbbb86edb4ce3dd7e9d5676/test/cctest/test-api.cc [modify] https://crrev.com/073d0d5ee628307dcdbbb86edb4ce3dd7e9d5676/test/cctest/trace-extension.cc |
|||
►
Sign in to add a comment |
|||
Comment 1 by ClusterFuzz
, Oct 23Owner: rmcilroy@chromium.org
Status: Assigned (was: Untriaged)