Our fuzzer detected inconsistencies in JavaScript chrome and firefox engines
Reported by
xmillsa@tutanota.com,
Nov 8
|
||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 Steps to reproduce the problem: 1. Open index.htm from fuzzer.zip 2. Wait for it to compute the result What is the expected behavior? Not sure. What went wrong? On chrome 67.0.3396.87 the result is 1 On chrome 70.0.3538.77 the result is 0 On Firefox the result is 1 Did this work before? Yes 67.0.3396.87 Chrome version: 70.0.3538.77 Channel: stable OS Version: 6.3 Flash Version: / We made a fuzzer to generate random javascript code and test in different browsers. The code is not completely random, but it uses random combination of predefined functions. What the code does is not clear, but obviously results differ between chrome and firefox, but also between different versions of chrome. The set of predefined functions that this script uses doesn't include environmental variables like navigator.userAgent and similar, only elemantray operators and array functions, so if results differ it is probably related to the javascript engine itself. We also tried to debug the script to find out where exactly the result is different from firefox, but we gave up.
,
Nov 8
Able to reproduce the issue on reported version 70.0.3538.77 and latest chrome 72.0.3604.0 using Mac 10.12.6, Ubuntu 14.04 and Windows-10, hence providing Bisect Info Bisect Info: ================ Good build: 70.0.3530.0 Bad build: 70.0.3531.0 On running per-revision bisect faced error(RuntimeError: We don't have enough builds to bisect. revlist: []), hence providing below change-log from chromium bisect You are probably looking for a change made after 585456 (known good), but no later than 585470 (first known bad). Change-Log: https://chromium.googlesource.com/chromium/src/+log/ac0405676146ce76211b297659aecd91714564f5..548ac6ffdaac420fbc90a96f09104ef401bc2c38 Note: Tentatively adding Blink>JavaScript component to it, unable to find the correct suspect from above change log, hence marking this issue as Untriaged and requesting someone from the Dev team help in assigning it to correct owner. Adding ReleaseBlock-Stable for M-71, feel free to remove it if not applicable. Thanks!
,
Nov 8
,
Nov 13
Friendly ping to look into this issue and to provide further update on this issue as it has been marked as a stable blocker. Thanks!
,
Nov 13
Assigning to Toon, who can either take a look or continue routing...
,
Nov 13
,
Nov 13
Reminder M71 Stable is approaching VERY soon. Please review this bug and assess if this is indeed a RBS. If not, please remove the RBS label. If so, please make sure any planned work will be tested in Beta and verified before the Stable date. Thank you. Requesting to take a look at M71 blockers ASAP due to upcoming Thanksgiving holidays next week.
,
Nov 15
Reminder M71 Stable is approaching VERY soon. Please review this bug and assess if this is indeed a RBS. If not, please remove the RBS label. If so, please make sure any planned work will be tested in Beta and verified before the Stable date. Thank you. Requesting to take a look at M71 blockers ASAP due to upcoming Thanksgiving holidays next week.
,
Nov 15
As this is regressed in M70, not a blocker for M71. Pls target fix for M72.
,
Nov 16
d8 only version (not further minified):
func=a=>(D=>{var[z,v,A,B,G,X]=(L=>L(L))((L,i=[0xd80a2ea6],q=o=>q[o|=0]||(q[o]=((
a,b)=>[[14,60,12,81,14,7,0],[37,93,41,69],[22,60,7,75,12,93],[9,71,54,16,60,56],
[66,71,31,60,54,37],[75,60,12,66,24,7,33,14,43,39,60,14,12,19,63,9,29,60,69],[14
,60,16,88,54,60],[72,72,72],[75,60,37,33,14,43,12,43,12,19,39,60,66,56],[54,43,7
,69,12,14,88,54,12,43,14],[69,39,96,41,12],[31,43,41,7],[29,9,39],[41,7,86,60,52
,66,56],[39,88,69,93],[56,41,7,86],[14,60,39,60,9,37],[69,22,41,54,60],[29,9,12,
54,93],[69,39,96,41,54,60],[81,7,69,93,41,56,37],[41,7,54,96,88,86,60,69],[39,43
,39],[27,9,14]][a=(a+1).match(/.*/g).join``,b].map(b=>a[b]).join``)((K,H)=>n*a%[
t%r-d](y/[l(w)|v>m/j(P),(t>p-i&o),b]+E)>x%c[f]/[e]%N/[O][s,b.Y*g]+[D-u/R](d,u)%D
%h&(l),o)),p=o=>q[q(9)](q(23)+`${({}+p)[7]}g=${1/o?q(o):o};${q()}g)`)(p),b={o:[p
(1)],u:D=D[q(17)](1),x:[],Y:[]},g=p((((o,u,x,{b,B,f,t}=g)=>x||1/x?o[u](y(x)):u||
1/u?1/o?g(t.m[o],u):B[t(21)](o)?(b[t(14)](g(u)),B=t.p(b.w,f)+1,f(o),b.w[t(2)]=B,
[t.p(b)[0],b[t(22)]()][0]):o(y(u)):[y(o)])+[])[q(10)]`y`[q(11)](q(7)+`g.s`)),R=(
o,u)=>g([u][q(9)](o))[q(12)]((o,x)=>u(x)),Q=(Q=>R(1<<8,r=>p(`'\\x${Q(r>>4)}${Q(r
&15)}'`)))(o=>o>9?q(3)[o-10]:o,g.s=o=>o[q(21)]?o:[o]),O=o=>Q[q(13)](o[0]),P=o=>Q
[o&255],U=o=>g(o==L?o+U:o+(U.o||(U.o=U(L))))[q(6)]((o,u)=>u[q(18)](q(7)[0])?O(u)
+(o<<6)+(o<<16)-o|0:o,0))=>[o=>R(4,(r,s=(o>>(r<<3))&255)=>P(r&&(s&64)?s%10+48:s%
26+(s&128?65:97)),o=U(`${X(o,z)+1?o:''}`))[q(11)]``,(o,u=o,x=b.o[0])=>b.x[u]||x[
q(4)][q(5)](o=o!=v.b?o:i)[q(15)](o=>z(o)==u&&(b.x[u]=o,1))||(o!=i?v(x[q(4)][q(8)
](o),u):u),[(o,u)=>g(o,u),(o,u,x)=>g(o,v(o,u),x),o=>b.o[o],(O,u)=>b.o[u]=O,()=>X
(b.u),(o,u)=>o[v(o,u)],(O,u,x)=>O[v(O,u)]=x,()=>[],(o,u)=>(o[q(14)](u),o),O=>O,(
O,u)=>[b[u],b[O]]=[(b=b.u)[O=X(b,q)-O],b[u=X(b,X)-u]],o=>typeof(o),o=>X(b.Y)[o],
(O,u)=>X(b.Y)[u]=O,(o,u,x)=>o&&g(u,x),(o,u,x,c,i)=>o?g(u,x):g(c,i),(o,u,x)=>o?u:
x,o=>-o,o=>!o,o=>~o,(o,u)=>{while(A.s=g(o,u));return(A.s)},o=>(...u)=>g(q.m[o],u
),o=>z(o),()=>b.c],((V,M)=>(o,u=-1,c,t=0,i='',W=(r,x)=>(c+=r,c=O(c[O(c[1])-40?1:
2]),c=(c>64&c<91)*2|(c=P(c))=='b'|c=='B',x=b.u[q(19)](X(b.u,q)-X(r,v)+c%2),c&1&&
x[q(20)](b),x=g(r,x),c&2||V(x)))=>g(o+[D.o])[q(12)]((x,r)=>r>2&(r=O(x))>32&&(c=(
r>64&r<91)*2|r>96&r<123,u+1&&(c||1/x)?X(u+=x,B)-3||(V(u),u=-1):1/x?V(x|0):t?c?--
t||(W(B[i]||(B[i]=p((M+[])[q(10)]`+`[q(11)](i)))),i=''):t-1||(i+=x):c&2?r-65?t=1
:u='':c&1?W(A[r-97]):0)).o)(o=>b.u[q(14)](o),(o,u)=>o+u),o=>(q.p=X,q.m=o,(b.Y.w=
b.u,g).B=o)[g.b=(b.c=[b.o, b.Y, b.u],b).Y,q(2)]&&g(o[g.f=B,g.t=q,0],b.o),(o,u)=>
[u,u=o[q(2)]-1][0]?u:o[u]]);G([K=>0*[2]&d<[3>v&h]+u,k=>[0/m]&(0&t,r|(m)&[B>W],0)
-[n],f=>(1,v)+[1,3]%j/[c/n],n=>0-c+h%0+1<d<h/(1*e)+(B+B<5<B-X)^(7)|B*Q<(5)-[B/T*
8-B|t%[4],B&f]>[5/B^I]|[i]>1*l-w<A*B/y*f^W&f<t/(2)^c>e-1*B+O>[2]%d&[h]&(B+F^w)/A
&s>5|S%A&(B!=j)>0|(n)&s%[i%2>h]/(B<L)/(A>z<n&3^m<A<L%3*P|3)*(q>h/(3)|h)<(2)/3*[q
]>1%[v*[0]&v]|(h,[p,2^v]&h)<o^i%b>A%X%1|e+y*f*(x>(l,w)/A<A*I+9*5<B==D^[B^C,[g]])
])})``;
func()
print(this[''])
,
Nov 16
This bisects to when we switched to TimSort. I presume it's just because the sorting order is different between old-V8, FF, and new-V8? It does call sort...
,
Nov 16
Thanks for the d8 repro! Here's an instrumented version:
const A_p_sort = Array.prototype.sort;
Array.prototype.sort = function(a) {
console.log("Input:", this, this.length);
console.log(a);
const result = A_p_sort.call(this,
(x, y) => { const result = a(x, y); console.log("cmp", x, y, result); return result; });
console.log("Result:", result);
return result;
}
/* The rest as above */
Output by d8:
Input: 1,false 2
(...u)=>g(q.m[o],u) // This is the comparison function.
cmp false 1 false
Result: 1,false
The comparison function is inconsistent, in which case the result of the operation is undefined by the spec.
See http://www.ecma-international.org/ecma-262/6.0/#sec-array.prototype.sort.
|
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by vamshi.kommuri@chromium.org
, Nov 8