Can't Repro

Vulnerability

Status Update

No update yet.

Description

2r...@linchpin8.com

created issue #1

Nov 6, 2024 02:09PM

VULNERABILITY DETAILS

An attempt to set the tearing state by a function that does not have a feedback vector was detected.

This may affect the optimisation state and is currently being analysed in more detail.

VERSION

Chrome Version: V8 Main branch commit df246c4b Operating System: Ubuntu 24.04 LTS

REPRODUCTION CASE

./d8 --expose-gc --allow-natives-syntax ./poc.js

Type of crash: SEGV_ACCERR

Crash State:

Received signal 11 <unknown> 3afc00049c3c

==== C stack trace ===============================

 [0x5cee7f4da19d]
 [0x7eca0c245320]
 [0x5cee7f5c0b4f]
 [0x5cee7f878c63]
 [0x5cee80f191d4]
 [0x5cee80f18792]
 [0x5cee835c0a76]
[end of stack trace]
zsh: segmentation fault (core dumped)

#0  Relaxed_ReadField<unsigned int, 0> () at ../../src/objects/objects-inl.h:306
#1  dispatch_handle () at ../../src/objects/js-function-inl.h:266
#2  UpdateCode () at ../../src/objects/js-function-inl.h:160
#3  0x00005555562c4c63 in Compile () at ../../src/objects/js-function-inl.h:84debug2: channel 0: window 999084 sent adjust 49492
#4  0x00005555579651d4 in __RT_impl_Runtime_CompileLazy () at ../../src/runtime/runtime-compiler.cc:73
#5  0x0000555557964792 in Runtime_CompileLazy () at ../../src/runtime/runtime-compiler.cc:54
#6  0x000055555a00ca76 in Builtins_CEntry_Return1_ArgvOnStack_NoBuiltinExit ()
#7  0x0000555559f563d3 in Builtins_CompileLazy ()
#8  0x00001fb100049c3d in ?? ()
#9  0x00001fb100241a85 in ?? ()
#10 0x0000000000265600 in ?? ()
#11 0x0000000000000001 in ?? ()
#12 0x00001fb100000069 in ?? ()
#13 0x00001fb100049c3d in ?? ()
#14 0x0000000000000024 in ?? ()
#15 0x00007fffffffc500 in ?? ()
#16 0x0000555559f54b90 in Builtins_InterpreterEntryTrampoline ()
#17 0x00001fb100241a25 in ?? ()
#18 0x00001fb100000069 in ?? ()
#19 0x00001fb100048df1 in ?? ()
#20 0x00001fb100049c3d in ?? ()
#21 0x00001fb100000069 in ?? ()
#22 0x00001fb100000069 in ?? ()
#23 0x00000000000000a4 in ?? ()
#24 0x000008a20004010d in ?? ()
#25 0x0000000000000001 in ?? ()
#26 0x00001fb10025937d in ?? ()
#27 0x00001fb1002593bd in ?? ()
#28 0x00007fffffffc528 in ?? ()
#29 0x0000555559f5209c in Builtins_JSEntryTrampoline ()

CREDIT INFORMATION

Reporter credit: Changheon Lee (@2rr0r4o3)

poc.js

274 B

View

Download

Comments

cl...@appspot.gserviceaccount.com <cl...@appspot.gserviceaccount.com> #2Nov 6, 2024 08:36PM

ClusterFuzz is analyzing your testcase. Developers can follow the progress at

https://clusterfuzz.com/testcase?key=4504973861650432.

me...@google.com <me...@google.com> #3Nov 6, 2024 10:32PM

Assigned to sr...@google.com.

Assigning to the current v8 sheriff. Please note that the severity and FoundIn labels are provisional.

pe...@google.com <pe...@google.com> #4Nov 7, 2024 03:38PM

Setting milestone because of s0/s1 severity.

pe...@google.com <pe...@google.com> #5Nov 7, 2024 03:38PM

Setting Priority to P1 to match Severity s1. If this is incorrect, please reset the priority. The automation bot account won't make this change again.

sr...@google.com <sr...@google.com> #6Nov 8, 2024 09:23AM

Marked as fixed, reassigned to ol...@google.com.

This doesn't repro on head anymore and the crash is in leap tiering code. olivf@ fyi.

pe...@google.com <pe...@google.com> #7Nov 8, 2024 03:39PM

Setting milestone because of s0/s1 severity.

2r...@linchpin8.com <2r...@linchpin8.com> #8Nov 9, 2024 04:06PM

Comment has been deleted.

Message last modified on Nov 9, 2024 04:23PM

2r...@linchpin8.com <2r...@linchpin8.com> #9Nov 9, 2024 05:00PM

Comment has been deleted.

Message last modified on Nov 9, 2024 05:04PM

ol...@google.com <ol...@google.com> #10Nov 11, 2024 11:12AM

Status: In Progress (Accepted) (reopened)

Hi @2rr0r403, I cannot repro the issue. Could you please provide more instructions, e.g., your gn args etc.

2r...@linchpin8.com <2r...@linchpin8.com> #11Nov 11, 2024 11:18AM

First of all, I think it's very likely that this issue has already been fixed. This is because fuzzer, which was working on the HEAD commit on the afternoon of 6 November KST, has consistently reported this issue, but has not detected any related issues since around the 8th, when several leap tiering-related commits were merged.

Regardless, I recognise that it is very important to ensure that this issue is fully resolved, and I would like to provide any help that is needed.

The args.gn you're referring to is below.

is_debug = false
dcheck_always_on = true
v8_static_library = true
v8_enable_verify_heap = true
cppgc_enable_verify_heap = true
v8_enable_turboshaft_csa = true
v8_enable_verify_csa = true
is_clang = true
v8_fuzzilli = true
sanitizer_coverage_flags = ‘trace-pc-guard’
is_asan = true
target_cpu = ‘x64’
v8_current_cpu = ‘x64’
v8_target_cpu = ‘x64’
symbol_level = 2
v8_enable_backtrace = true
v8_enable_maglev = true
v8_enable_sparkplug = true
v8_enable_31bit_smis_on_64bit_arch = true
optimise_for_fuzzing = true

2r...@linchpin8.com <2r...@linchpin8.com> #12Nov 11, 2024 11:20AM

Furthermore, since that date (around Nov 8) to the present, both Fuzzer and I are failing to reproduce based on HEAD.

2r...@linchpin8.com <2r...@linchpin8.com> #13Nov 11, 2024 11:34AM

My own assumption is that this was fixed somewhere in one of the four commits below, but I haven't investigated.

c3083403bbc4d99b2a1572016347ebc3bbdf4deb
cb0e7e181d13fd3304e76ea8ed9a87a7c210c392
1fd8ff8c22c8646a9955c60d46b34121199f7d19
4ee8c414aece0f4310d391fec307c7f28663e1fd

ol...@google.com <ol...@google.com> #14Nov 11, 2024 12:00PM

Status: Won't Fix (Not Reproducible)

I am not able to reproduce this at any commit. Feel free to re-open if it re-appears. Thanks.

ph...@google.com <ph...@google.com> #15Feb 20, 2025 05:47PM

This bug has been closed for more than 14 weeks. Removing issue access restrictions.

Chromium

Security: SEGV_ACCERR detected in src/objects/objects-inl.h:306

Status Update

Description

VULNERABILITY DETAILS

VERSION

REPRODUCTION CASE

Crash State:

CREDIT INFORMATION

Comments

cl...@appspot.gserviceaccount.com <cl...@appspot.gserviceaccount.com> #2Nov 6, 2024 08:36PM

me...@google.com <me...@google.com> #3Nov 6, 2024 10:32PM

pe...@google.com <pe...@google.com> #4Nov 7, 2024 03:38PM

pe...@google.com <pe...@google.com> #5Nov 7, 2024 03:38PM

sr...@google.com <sr...@google.com> #6Nov 8, 2024 09:23AM

pe...@google.com <pe...@google.com> #7Nov 8, 2024 03:39PM

2r...@linchpin8.com <2r...@linchpin8.com> #8Nov 9, 2024 04:06PM

2r...@linchpin8.com <2r...@linchpin8.com> #9Nov 9, 2024 05:00PM

ol...@google.com <ol...@google.com> #10Nov 11, 2024 11:12AM

2r...@linchpin8.com <2r...@linchpin8.com> #11Nov 11, 2024 11:18AM

2r...@linchpin8.com <2r...@linchpin8.com> #12Nov 11, 2024 11:20AM

2r...@linchpin8.com <2r...@linchpin8.com> #13Nov 11, 2024 11:34AM

ol...@google.com <ol...@google.com> #14Nov 11, 2024 12:00PM

ph...@google.com <ph...@google.com> #15Feb 20, 2025 05:47PM

Issue 377620834

Description

VULNERABILITY DETAILS

VERSION

REPRODUCTION CASE

Crash State:

CREDIT INFORMATION

Issue summary

Comments

cl...@appspot.gserviceaccount.com <cl...@appspot.gserviceaccount.com> #2Nov 6, 2024 08:36PM

me...@google.com <me...@google.com> #3Nov 6, 2024 10:32PM

pe...@google.com <pe...@google.com> #4Nov 7, 2024 03:38PM

pe...@google.com <pe...@google.com> #5Nov 7, 2024 03:38PM

sr...@google.com <sr...@google.com> #6Nov 8, 2024 09:23AM

pe...@google.com <pe...@google.com> #7Nov 8, 2024 03:39PM

2r...@linchpin8.com <2r...@linchpin8.com> #8Nov 9, 2024 04:06PM

2r...@linchpin8.com <2r...@linchpin8.com> #9Nov 9, 2024 05:00PM

ol...@google.com <ol...@google.com> #10Nov 11, 2024 11:12AM

2r...@linchpin8.com <2r...@linchpin8.com> #11Nov 11, 2024 11:18AM

2r...@linchpin8.com <2r...@linchpin8.com> #12Nov 11, 2024 11:20AM

2r...@linchpin8.com <2r...@linchpin8.com> #13Nov 11, 2024 11:34AM

ol...@google.com <ol...@google.com> #14Nov 11, 2024 12:00PM

ph...@google.com <ph...@google.com> #15Feb 20, 2025 05:47PM

Add comment

Issue metadata