Crash in v8::internal::Isolate::native_context |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6116583216250880 Fuzzer: mbarbella_js_mutation_test262 Job Type: linux_v8_d8_tot Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x000000000027 Crash State: v8::internal::Isolate::native_context v8::internal::Factory::NewTypeError v8::internal::Runtime_ThrowCalledNonCallable Regressed: V8: r34206:34211 Minimized Testcase (0.64 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97dwXE3V4_PfmrGzMD0EC61M1Tf-jtYR9LCKXP_oHfVepevc2k5hEm_ICNkVw9vvS93_OAXXbsawovCy7Xzgt-UaxW5boUfHgUD_wnAyXTnXQpWc_Togb4vsRhlV-M5taPcaOaC-3RKDnD6ILnzktkbCMen8A Filer: jarin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 9 2016
ClusterFuzz has detected this issue as fixed in range 34567:34577. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6116583216250880 Fuzzer: mbarbella_js_mutation_test262 Job Type: linux_v8_d8_tot Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x000000000027 Crash State: v8::internal::Isolate::native_context v8::internal::Factory::NewTypeError v8::internal::Runtime_ThrowCalledNonCallable Regressed: V8: r34206:34211 Fixed: V8: r34567:34577 Minimized Testcase (0.64 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97dwXE3V4_PfmrGzMD0EC61M1Tf-jtYR9LCKXP_oHfVepevc2k5hEm_ICNkVw9vvS93_OAXXbsawovCy7Xzgt-UaxW5boUfHgUD_wnAyXTnXQpWc_Togb4vsRhlV-M5taPcaOaC-3RKDnD6ILnzktkbCMen8A See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 11 2016
I removed one of the tail calls:
===== test.js =====
function h(global) {
return global.boom();
}
function f() {
var o = {};
o.__defineGetter__('prop1', function g() { var r = h({}); return r; });
o.__defineGetter__('prop2', function g() { return h({}); });
o.prop1;
// o.prop2;
}
f();
===== end of test.js =====
out/x64.debug/d8 test1.js --turbo --always-opt --harmony-tailcalls --predictable --code-comments --trace-turbo-inlining --no-crankshaft --trace-deopt --turbo-filter=g --print-opt-code
There are two problems here:
Problem 1 (prop1):
1) The call to h was inlined to g.
2) The call to boom in h was generated using TailCall instruction (probably because TurboFan figured out that "var r = h({}); return r;" is same as "return h({});").
3) The TailCall instruction pops the frame of g and therefore the boom function will see neither h nor g in the stack trace.
4) And because of 2) we also have a problem 2 here.
Problem 2 (prop2):
1) The call to h was inlined to g.
2) g was called from C++ via ENTRY frame (with null context).
3) The call to boom is generated using TailCall instruction of a Call builtin.
4) The builtin quickly figures out that the receiver is undefined and jumps to runtime to throw "called non callable".
5) The runtime function crashes in attempt to load from null context.
The TailCall was not fully correct there: the parallel move between kArchPrepareTailCall and kArchTailCallCodeObject generated a context load using fp-relative addressing.
For some reason we don't have this problem on ia32.
====== x64 ======
0x18440150afa0 0 55 push rbp
0x18440150afa1 1 4889e5 REX.W movq rbp,rsp
0x18440150afa4 4 56 push rsi
0x18440150afa5 5 57 push rdi
0x18440150afa6 6 4883ec08 REX.W subq rsp,0x8
-- B0 start (no frame) --
0x18440150afaa 10 493ba5880a0000 REX.W cmpq rsp,[r13+0xa88]
0x18440150afb1 17 0f867c000000 jna 147 (0x18440150b033)
-- B2 start (no frame) --
-- B3 start (no frame) --
0x18440150afb7 23 33db xorl rbx,rbx
0x18440150afb9 25 498b8db8000000 REX.W movq rcx,[r13+0xb8]
0x18440150afc0 32 48ba000000000d000000 REX.W movq rdx,0xd00000000
0x18440150afca 42 488b45f0 REX.W movq rax,[rbp-0x10]
0x18440150afce 46 488b75f8 REX.W movq rsi,[rbp-0x8]
-- test1.js:47:54 --
0x18440150afd2 50 e88959f3ff call 0x184401440960 ;; debug: position 1085
;; code: STUB, FastCloneShallowObjectStub, minor: 0
0x18440150afd7 55 488945e8 REX.W movq [rbp-0x18],rax
0x18440150afdb 59 48b84943ee6cea240000 REX.W movq rax,0x24ea6cee4349 ;; object: 0x24ea6cee4349 <JS Function h (SharedFunctionInfo 0x24ea6cee34d1)>
0x18440150afe5 69 488b401f REX.W movq rax,[rax+0x1f]
0x18440150afe9 73 488b5857 REX.W movq rbx,[rax+0x57]
0x18440150afed 77 48b9b932ee6cea240000 REX.W movq rcx,0x24ea6cee32b9 ;; object: 0x24ea6cee32b9 <String[4]: boom>
0x18440150aff7 87 48b80000000003000000 REX.W movq rax,0x300000000
0x18440150b001 97 488b55e8 REX.W movq rdx,[rbp-0x18]
0x18440150b005 101 488b75f8 REX.W movq rsi,[rbp-0x8]
0x18440150b009 105 488bfe REX.W movq rdi,rsi
0x18440150b00c 108 e88ffdffff call 0x18440150ada0 ;; code: contextual, LOAD_IC, GENERIC
[ kArchPrepareTailCall
0x18440150b011 113 488b6d00 REX.W movq rbp,[rbp+0x0] ;; <== pop current frame
]
0x18440150b015 117 488bf8 REX.W movq rdi,rax
0x18440150b018 120 33c0 xorl rax,rax
0x18440150b01a 122 4c8b1424 REX.W movq r10,[rsp]
0x18440150b01e 126 4c89542428 REX.W movq [rsp+0x28],r10
0x18440150b023 131 488b75f8 REX.W movq rsi,[rbp-0x8] ;; <== this is now a load of a context from parent frame
0x18440150b027 135 488bd8 REX.W movq rbx,rax
[ kArchTailCallCodeObject
0x18440150b02a 138 4883c420 REX.W addq rsp,0x20
0x18440150b02e 142 e9ada2f0ff jmp Call_ReceiverIsNotNullOrUndefined (0x1844014152e0) ;; code: BUILTIN
]
-- B4 start (no frame) --
-- B1 start (deferred) (no frame) --
0x18440150b033 147 48bbf067690100000000 REX.W movq rbx,0x16967f0
0x18440150b03d 157 33c0 xorl rax,rax
0x18440150b03f 159 488b75f8 REX.W movq rsi,[rbp-0x8]
0x18440150b043 163 488bd0 REX.W movq rdx,rax
-- test1.js:47:40 --
0x18440150b046 166 e875e5efff call 0x1844014095c0 ;; debug: position 1071
;; code: STUB, CEntryStub, minor: 4
0x18440150b04b 171 e967ffffff jmp 23 (0x18440150afb7)
====== ia32 ======
0x4ce3e7c0 0 55 push ebp
0x4ce3e7c1 1 89e5 mov ebp,esp
0x4ce3e7c3 3 56 push esi
0x4ce3e7c4 4 57 push edi
0x4ce3e7c5 5 83ec04 sub esp,0x4
-- B0 start (no frame) --
0x4ce3e7c8 8 3b25c80a1d0a cmp esp,[0xa1d0ac8]
0x4ce3e7ce 14 0f8658000000 jna 108 (0x4ce3e82c)
-- B2 start (no frame) --
-- B3 start (no frame) --
0x4ce3e7d4 20 33db xor ebx,ebx
0x4ce3e7d6 22 b99d80504e mov ecx,0x4e50809d ;; object: 0x4e50809d <FixedArray[0]>
0x4ce3e7db 27 ba1a000000 mov edx,0x1a
0x4ce3e7e0 32 8b45f8 mov eax,[ebp-0x8]
0x4ce3e7e3 35 8b75fc mov esi,[ebp-0x4]
-- test1.js:47:54 --
0x4ce3e7e6 38 e8757affff call 0x4ce36260 ;; debug: position 1085
;; code: STUB, FastCloneShallowObjectStub, minor: 0
0x4ce3e7eb 43 8945f4 mov [ebp-0xc],eax
0x4ce3e7ee 46 b84d74584e mov eax,0x4e58744d ;; object: 0x4e58744d <JS Function h (SharedFunctionInfo 0x4e586bd9)>
0x4ce3e7f3 51 8b400f mov eax,[eax+0xf]
0x4ce3e7f6 54 8b582b mov ebx,[eax+0x2b]
0x4ce3e7f9 57 b9a96a584e mov ecx,0x4e586aa9 ;; object: 0x4e586aa9 <String[4]: boom>
0x4ce3e7fe 62 b806000000 mov eax,0x6
0x4ce3e803 67 8b55f4 mov edx,[ebp-0xc]
0x4ce3e806 70 8b75fc mov esi,[ebp-0x4]
0x4ce3e809 73 89f7 mov edi,esi
0x4ce3e80b 75 e8d0fdffff call 0x4ce3e5e0 ;; code: contextual, LOAD_IC, GENERIC
[ kArchPrepareTailCall
0x4ce3e810 80 8b6d00 mov ebp,[ebp+0x0] ;; <== pop current frame
]
0x4ce3e813 83 89c7 mov edi,eax
0x4ce3e815 85 33c0 xor eax,eax
0x4ce3e817 87 ff3424 push [esp]
0x4ce3e81a 90 8f442414 pop [esp+0x14]
0x4ce3e81e 94 8b742408 mov esi,[esp+0x8] ;; <== here we use sp-relative addressing and restore proper context
0x4ce3e822 98 89c1 mov ecx,eax
[ kArchTailCallCodeObject
0x4ce3e824 100 83c410 add esp,0x10
0x4ce3e827 103 e97470fdff jmp Call_ReceiverIsNotNullOrUndefined (0x4ce158a0) ;; code: BUILTIN
]
-- B4 start (no frame) --
-- B1 start (deferred) (no frame) --
0x4ce3e82c 108 bb10343509 mov ebx,0x9353410
0x4ce3e831 113 33c0 xor eax,eax
0x4ce3e833 115 8b75fc mov esi,[ebp-0x4]
0x4ce3e836 118 89c1 mov ecx,eax
-- test1.js:47:40 --
0x4ce3e838 120 e8a3cffcff call 0x4ce0b7e0 ;; debug: position 1071
;; code: STUB, CEntryStub, minor: 4
0x4ce3e83d 125 eb95 jmp 20 (0x4ce3e7d4)
,
Mar 11 2016
I'm sorry, the repro case in #3 is missing "use strict".
,
Mar 15 2016
Fixed by https://codereview.chromium.org/1781393002/.
,
Mar 15 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by jarin@chromium.org
, Mar 9 2016Owner: ishell@chromium.org
Status: Assigned (was: Available)
Looks like some interplay between inlining and tail calls. Small repro (with --turbo --always-opt --harmony-tailcalls): "use strict"; function f() { Object.__defineGetter__('defineProperty', function() { return __f_4({}); }); Object.defineProperty; } f(); function __f_4(global) { return global.__f_6(); }