New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 616064 link

Starred by 1 user
Status: Fixed
Owner:
rmcilroy@chromium.org
Closed: Jun 2016
Cc:
mythria@chromium.org
rmcilroy@chromium.org
oth@chromium.org
mstarzinger@chromium.org
ajha@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Crash in v8::internal::interpreter::BytecodeRegisterOptimizer::OutputRegisterTransfer

Project Member Reported by ClusterFuzz, May 31 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6558126912569344

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::OutputRegisterTransfer
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterTransfer
  v8::internal::interpreter::BytecodeArrayBuilder::OutputScaled
  
Regressed: V8: r36550:36551

Minimized Testcase (7.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv978YUUtUUhRTeb2VsTNfgP2lzaDCRUTt-vZ6D5zGCPjGxJ6aJG2RO9BRr5TUqj3wuBWd_qEnhu_8Cv5b5ZR01fLc8XNs0bguLMnlMtupDGPMIYLVCONLF1hmuNwIBtGxR8XKJlu8-K7LEIeOMvUcsdvJ_bKig

Filer: ajha

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ajha@chromium.org, May 31 2016

Components: Tools>Test>FindIt>NoResult
Labels: Te-Logged M-53

Comment 2 by mstarzinger@chromium.org, May 31 2016

Owner: oth@chromium.org
Status: Assigned (was: Available)
Regression range points to 5e8f8d4e8c36536167e36ea242b9d17e2edeaa48. Reproduces as follows on tip-of-tree ...

$ git checkout 60afed46a0b2ed5b1581aeda6450822a7898a8a4
$ make -j1000 x64.debug
$ ./out/x64.debug/d8 --ignition boom.js
$ cat boom.js 

if (this.Worker) {
  function __f_0() { this.s = new Object(); }
  function __f_1() {
    this.l = __f_0;
  }
  with ( 'source'   , Object     ) throw function __f_0(__f_0) { return Worker.__f_0(-2147483648, __f_0); } ;      
  var __v_9 = new Worker('');
  __f_1 = {s: Math.s, __f_1: true};
}

Comment 3 by rmcilroy@chromium.org, Jun 1 2016

Owner: rmcilroy@chromium.org
Status: Started (was: Assigned)
Thanks Michael. Orion is out this week so I'll take this.

Comment 4 by rmcilroy@chromium.org, Jun 1 2016 

Issue 615840 has been merged into this issue.
Project Member

Comment 5 by sheriffbot@chromium.org, Jun 1 2016

Labels: OS-Windows Fracas OS-Mac
Users experienced this crash on the following builds:

Win Canary 53.0.2753.0 -  1.10 CPM, 46 reports, 9 clients (signature v8::internal::interpreter::BytecodeRegisterOptimizer::OutputRegisterTransfer)
Mac Canary 53.0.2753.0 -  1.07 CPM, 4 reports, 4 clients (signature v8::internal::interpreter::BytecodeRegisterOptimizer::OutputRegisterTransfer)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Comment 6 by rmcilroy@chromium.org, Jun 1 2016 

This is due to the dead-code elimination happening in the bytecode-array-builder before it reaches any of the optimization stages. We eliminate some code which stores a value into a register, but then start a new basic block (due to a label bind for a hole check). This basic block is actually also dead, although our dead-code elimination only works within a basic block, so we start emitting code again. The new code tries to load from the register, however since we never emitted code to store into that register, this causes a crash in the register optimizer.

The correct fix is to move the dead-code elimination until after the other optimization stages. The problem with this is that we can't easily do it unless we also move the jump patching to the final bytecode writer stage (which we really should have done originally but deferred).

I'll upload a CL to remove the dead-code elimination which should fix this patch, but adding it back will require refactoring how we emit jumps.
Project Member

Comment 7 by bugdroid1@chromium.org, Jun 1 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2fd3f9d69b20b1a6fb4fcaae213560380fd8ef33

commit 2fd3f9d69b20b1a6fb4fcaae213560380fd8ef33
Author: rmcilroy <rmcilroy@chromium.org>
Date: Wed Jun 01 22:54:35 2016

[Interpreter] Don't try to eliminate dead-code in bytecode-array-builder

Eliminating dead code in the bytecode array builder doesn't play nice
with the register elimination optimizer. We should move it to it's own
stage in the optimization pipeline, however doing so would require
refactoring of how we deal with jumps, so for now just remove the dead
code elimination optimization.

BUG= chromium:616064 

Review-Url: https://codereview.chromium.org/2030583002
Cr-Commit-Position: refs/heads/master@{#36660}

[modify] https://crrev.com/2fd3f9d69b20b1a6fb4fcaae213560380fd8ef33/src/interpreter/bytecode-array-builder.cc
[modify] https://crrev.com/2fd3f9d69b20b1a6fb4fcaae213560380fd8ef33/src/interpreter/bytecode-array-builder.h
[modify] https://crrev.com/2fd3f9d69b20b1a6fb4fcaae213560380fd8ef33/src/interpreter/bytecode-peephole-optimizer.h
[modify] https://crrev.com/2fd3f9d69b20b1a6fb4fcaae213560380fd8ef33/src/interpreter/bytecode-register-optimizer.cc
[modify] https://crrev.com/2fd3f9d69b20b1a6fb4fcaae213560380fd8ef33/src/interpreter/bytecode-register-optimizer.h
[modify] https://crrev.com/2fd3f9d69b20b1a6fb4fcaae213560380fd8ef33/test/cctest/interpreter/bytecode_expectations/ContextVariables.golden
[modify] https://crrev.com/2fd3f9d69b20b1a6fb4fcaae213560380fd8ef33/test/cctest/interpreter/bytecode_expectations/IfConditions.golden
[modify] https://crrev.com/2fd3f9d69b20b1a6fb4fcaae213560380fd8ef33/test/cctest/interpreter/bytecode_expectations/Throw.golden
[modify] https://crrev.com/2fd3f9d69b20b1a6fb4fcaae213560380fd8ef33/test/cctest/interpreter/bytecode_expectations/TryCatch.golden
[modify] https://crrev.com/2fd3f9d69b20b1a6fb4fcaae213560380fd8ef33/test/cctest/interpreter/bytecode_expectations/WithStatement.golden
[add] https://crrev.com/2fd3f9d69b20b1a6fb4fcaae213560380fd8ef33/test/mjsunit/ignition/regress-616064.js

Comment 8 by rmcilroy@chromium.org, Jun 2 2016

Status: Fixed (was: Started)

Comment 9 by rmcilroy@chromium.org, Jun 2 2016 

 Issue 615773  has been merged into this issue.
Project Member

Comment 10 by ClusterFuzz, Jun 2 2016 

ClusterFuzz has detected this issue as fixed in range 36659:36660.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6558126912569344

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::OutputRegisterTransfer
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterTransfer
  v8::internal::interpreter::BytecodeArrayBuilder::OutputScaled
  
Regressed: V8: r36550:36551
Fixed: V8: r36659:36660

Minimized Testcase (7.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv978YUUtUUhRTeb2VsTNfgP2lzaDCRUTt-vZ6D5zGCPjGxJ6aJG2RO9BRr5TUqj3wuBWd_qEnhu_8Cv5b5ZR01fLc8XNs0bguLMnlMtupDGPMIYLVCONLF1hmuNwIBtGxR8XKJlu8-K7LEIeOMvUcsdvJ_bKig

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 11 by bugdroid1@chromium.org, Jun 3 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/de9d1d8bc6a79e9f488c606f302527f1c2a34a69

commit de9d1d8bc6a79e9f488c606f302527f1c2a34a69
Author: rmcilroy <rmcilroy@chromium.org>
Date: Fri Jun 03 14:52:59 2016

[Interpreter] Move jump processing to bytecode array writer.

This moves processing of jumps out of bytecode array builder and into
bytecode array writer. This simplifies the pipeline by avoiding having
to flush for offset and patch up offsets in bytecode array builder based
on what was emitted by the bytecode array writer.

This also enables future refactorings to add dead code elimination back
into the pipeline, and move processing of scalable operand sizes to the
end of the pipeline (in the bytecode array writer) rather than having to
deal with scalable operand types throughout pipeline.

BUG= v8:4280 , chromium:616064 

Review-Url: https://codereview.chromium.org/2035813002
Cr-Commit-Position: refs/heads/master@{#36716}

[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/BUILD.gn
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/src/interpreter/bytecode-array-builder.cc
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/src/interpreter/bytecode-array-builder.h
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/src/interpreter/bytecode-array-writer.cc
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/src/interpreter/bytecode-array-writer.h
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/src/interpreter/bytecode-generator.cc
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/src/interpreter/bytecode-generator.h
[add] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/src/interpreter/bytecode-label.h
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/src/interpreter/bytecode-peephole-optimizer.cc
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/src/interpreter/bytecode-peephole-optimizer.h
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/src/interpreter/bytecode-pipeline.h
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/src/interpreter/bytecode-register-optimizer.cc
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/src/interpreter/bytecode-register-optimizer.h
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/src/interpreter/control-flow-builders.h
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/src/v8.gyp
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/test/cctest/interpreter/test-interpreter.cc
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/test/unittests/interpreter/bytecode-array-builder-unittest.cc
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/test/unittests/interpreter/bytecode-array-writer-unittest.cc
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/test/unittests/interpreter/bytecode-peephole-optimizer-unittest.cc
[modify] https://crrev.com/de9d1d8bc6a79e9f488c606f302527f1c2a34a69/test/unittests/interpreter/bytecode-register-optimizer-unittest.cc
Project Member

Comment 12 by bugdroid1@chromium.org, Jun 21 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/76368d085432aa2a919eadfe2ea01be2be50eb07

commit 76368d085432aa2a919eadfe2ea01be2be50eb07
Author: rmcilroy <rmcilroy@chromium.org>
Date: Tue Jun 21 15:26:50 2016

[Interpreter] Add a simple dead-code elimination bytecode optimizer.

Adds back simple dead code elimination to the bytecode pipeline.

BUG= v8:4280 , chromium:616064 

Review-Url: https://codereview.chromium.org/2038083002
Cr-Commit-Position: refs/heads/master@{#37147}

[modify] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/BUILD.gn
[modify] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/src/flag-definitions.h
[modify] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/src/interpreter/bytecode-array-builder.cc
[add] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/src/interpreter/bytecode-dead-code-optimizer.cc
[add] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/src/interpreter/bytecode-dead-code-optimizer.h
[modify] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/src/v8.gyp
[modify] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/test/cctest/interpreter/bytecode_expectations/ContextVariables.golden
[modify] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/test/cctest/interpreter/bytecode_expectations/DoExpression.golden
[modify] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/test/cctest/interpreter/bytecode_expectations/IfConditions.golden
[modify] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/test/cctest/interpreter/bytecode_expectations/Throw.golden
[modify] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/test/cctest/interpreter/bytecode_expectations/TryCatch.golden
[modify] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/test/cctest/interpreter/bytecode_expectations/WithStatement.golden
[modify] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/test/cctest/interpreter/test-interpreter.cc
[modify] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/test/cctest/interpreter/test-source-positions.cc
[modify] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/test/unittests/BUILD.gn
[modify] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/test/unittests/interpreter/bytecode-array-builder-unittest.cc
[add] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/test/unittests/interpreter/bytecode-dead-code-optimizer-unittest.cc
[modify] https://crrev.com/76368d085432aa2a919eadfe2ea01be2be50eb07/test/unittests/unittests.gyp

Comment 13 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>NoResult
Project Member

Comment 14 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment