New issue
Advanced search Search tips

Issue 899535 link

Starred by 1 user
Status: Verified
Owner:
tebbi@chromium.org
Closed: Oct 29
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: ----
Type: Bug



Sign in to add a comment

Check failed: !v8::internal::FLAG_enable_slow_asserts || (object->IsFixedDoubleArray())

Reported by cloudfuz...@gmail.com, Oct 28 
VULNERABILITY DETAILS
The following testcase crashes the latest trunk build of d8 on ARM64

VERSION
Chrome Version: trunk build of d8 on ARM64
Operating System: Linux ARM64

REPRODUCTION CASE
o1=[1.1,2.2,3.3];
o14=[1.1,2.2,3.3];
o14.toString=f;
o1['push'](undefined,1,o14,24,14);
o67=[1.1,2.2,3.3];
o67['includes'](19,o1,'A',undefined);
function f() {
        o67['splice']('A');
}

Type of crash: assertion
Crash State: 

# Fatal error in ../../src/objects/fixed-array-inl.h, line 25
# Check failed: !v8::internal::FLAG_enable_slow_asserts || (object->IsFixedDoubleArray()).

(lldb) bt 10
* thread #1, name = 'd8', stop reason = signal SIGTRAP
  * frame #0: 0x0000005556dc9580 d8`v8::base::OS::Abort() at platform-posix.cc:397
    frame #1: 0x0000005556dc2b80 d8`V8_Fatal(file=<unavailable>, line=<unavailable>, format=<unavailable>) at logging.cc:171
    frame #2: 0x0000005555f5263c d8`v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::FastPackedDoubleElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)4> >::IncludesValue(v8::internal::Isolate*, v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::Object>, unsigned int, unsigned int) [inlined] v8::internal::(anonymous namespace)::FastElementsAccessor<v8::internal::(isolate=<unavailable>, receiver=Handle<v8::internal::JSObject> @ 0x0000007fffffe638, search_value=Handle<v8::internal::Object> @ 0x0000007fffffe628, start_from=0, length=0)::FastPackedDoubleElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)4> >::IncludesValueImpl(v8::internal::Isolate*, v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::Object>, unsigned int, unsigned int) at elements.cc:0
    frame #3: 0x0000005555f5237c d8`v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(this=<unavailable>, isolate=<unavailable>, receiver=<unavailable>, value=<unavailable>, start_from=0, length=3)::FastPackedDoubleElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)4> >::IncludesValue(v8::internal::Isolate*, v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::Object>, unsigned int, unsigned int) at elements.cc:1305
    frame #4: 0x00000055563e3a54 d8`v8::internal::__RT_impl_Runtime_ArrayIncludes_Slow(args=<unavailable>, isolate=<unavailable>) at runtime-array.cc:806
    frame #5: 0x0000005556a8fc48 d8`Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit + 136
    frame #6: 0x00000055567f2580 d8`Builtins_ArrayIncludes + 1792
    frame #7: 0x0000000024493bb0
    frame #8: 0x0000005556787fec d8`Builtins_JSEntryTrampoline + 172
    frame #9: 0x000000002448215c
Project Member

Comment 1 by ClusterFuzz, Oct 29 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5983439600484352.
Project Member

Comment 2 by ClusterFuzz, Oct 29

Labels: OS-Linux
Project Member

Comment 3 by ClusterFuzz, Oct 29 

Detailed report: https://clusterfuzz.com/testcase?key=5983439600484352

Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (object->IsFixedDoubleArray()) in fix
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=43322:43323

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5983439600484352

See https://github.com/google/clusterfuzz-tools for more information.

Comment 4 by och...@chromium.org, Oct 29

Labels: Security_Severity-High Security_Impact-Head
Owner: tebbi@chromium.org
Status: Assigned (was: Unconfirmed)
This was marked a dupe of bug 899218. 

tebbi, can you please check if this is the same?

Comment 5 by och...@chromium.org, Oct 29

Components: Blink>JavaScript

Comment 6 by tebbi@chromium.org, Oct 29 

They seem related, I'll have to investigate them in detail.

Comment 7 by tebbi@chromium.org, Oct 29

Status: Started (was: Assigned)
Yes, they are duplicates, and neither of the regression ranges points to the actual issue, this is a long-standing issue. I'll write a fix.

Comment 8 by tebbi@chromium.org, Oct 29

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Impact-Head -Security_Severity-High Type-Bug
Summary: Check failed: !v8::internal::FLAG_enable_slow_asserts || (object->IsFixedDoubleArray()) (was: Security: Check failed: !v8::internal::FLAG_enable_slow_asserts || (object->IsFixedDoubleArray()))
This is not a security issue: In the case where the wrong cast happens, it is never accessed.
Project Member

Comment 9 by bugdroid1@chromium.org, Oct 29 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f942791b806b0503f4fbc342ad4a88caaae553c0

commit f942791b806b0503f4fbc342ad4a88caaae553c0
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Mon Oct 29 20:37:03 2018

[elements] fix wrong cast of empty FixedArray in Array.prototype.includes

Bug:  chromium:899535 
Change-Id: I468912afca9187b47ae94fbbcff79e175fa1e686
Reviewed-on: https://chromium-review.googlesource.com/c/1304296
Reviewed-by: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57101}
[modify] https://crrev.com/f942791b806b0503f4fbc342ad4a88caaae553c0/src/elements.cc
[modify] https://crrev.com/f942791b806b0503f4fbc342ad4a88caaae553c0/test/mjsunit/es7/array-includes.js
[add] https://crrev.com/f942791b806b0503f4fbc342ad4a88caaae553c0/test/mjsunit/regress/regress-crbug-899535.js

Comment 10 by tebbi@chromium.org, Oct 29

Status: Fixed (was: Started)
Project Member

Comment 11 by ClusterFuzz, Oct 30

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6374053756272640 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 12 by ClusterFuzz, Oct 30 

ClusterFuzz has detected this issue as fixed in range 57100:57101.

Detailed report: https://clusterfuzz.com/testcase?key=5983439600484352

Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (object->IsFixedDoubleArray()) in fix
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=43322:43323
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=57100:57101

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5983439600484352

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment