New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 617227 link

Starred by 1 user
Status: WontFix
Owner:
jochen@chromium.org
Closed: Jun 2016
Cc:
machenb...@chromium.org
kcc@chromium.org
bmeu...@chromium.org
krasin@chromium.org
p...@chromium.org
u...@chromium.org
verwa...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Blocking:
issue 616870



Sign in to add a comment

member call on null pointer during mksnapshot

Project Member Reported by krasin@chromium.org, Jun 3 2016 
Version: tip
OS: Linux x86-64

What steps will reproduce the problem?
(1) Get a fresh checkout and configure the build with:
gn gen //out/gn-vptr-null '--args=is_ubsan_vptr=true is_ubsan_no_recover=true is_ubsan_null=true is_debug=false is_component_build=false symbol_level=1 dcheck_always_on=true' --check

(2) Build extensions_browsertests
ninja -C out/gn-vptr-null extensions_browsertests

What is the expected output?
Build succeeds

What do you see instead?

Build fails with the following error:

[3/6870] ACTION //v8:run_mksnapshot(//build/toolchain/linux:clang_x64)
FAILED: gen/v8/snapshot.cc snapshot_blob.bin
python ../../v8/tools/run.py ./mksnapshot --startup_src gen/v8/snapshot.cc --random-seed 314159265 --startup_blob snapshot_blob.bin
../../v8/src/date.cc:27:15: runtime error: member call on null pointer of type 'v8::internal::Smi'
    #0 0xa6201d in v8::internal::DateCache::ResetDateCache() out/gn-vptr/../../v8/src/date.cc:27:15
    #1 0xccb24d in v8::internal::Isolate::Init(v8::internal::Deserializer*) out/gn-vptr/../../v8/src/isolate.cc:2232:21
    #2 0x43d93d in v8::V8::CreateSnapshotDataBlob(char const*) out/gn-vptr/../../v8/src/api.cc:451:23
    #3 0x430b58 in main out/gn-vptr/../../v8/src/snapshot/mksnapshot.cc:164:24
    #4 0x7f42b4d08f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc2.19/csu/libc-start.c:287
    #5 0x416ad0 in _start (/usr/local/google/home/krasin/chr22/src/out/gn-vptr/mksnapshot+0x416ad0)

What happens here is that v8::internal::DataCache::stamp_ is null and there's an access to it:
https://cs.chromium.org/chromium/src/v8/src/date.cc?q=src/date.cc:27&sq=package:chromium&l=27

void DateCache::ResetDateCache() {
  static const int kMaxStamp = Smi::kMaxValue;
  if (stamp_->value() >= kMaxStamp) { <=== null ptr access here
    stamp_ = Smi::FromInt(0);
  } else {
    stamp_ = Smi::FromInt(stamp_->value() + 1);
  }
  ....

This field is initialized as 0:
https://cs.chromium.org/chromium/src/v8/src/date.h?sq=package:chromium&rcl=1464952570&l=42

DateCache() : stamp_(0), tz_cache_(base::OS::CreateTimezoneCache()) {
  ResetDateCache();
}

which happens to be NULL. Dereferencing a null pointer is an undefined behavior in C++.
Please, fix.

Comment 1 by hablich@chromium.org, Jun 6 2016

Cc: machenb...@chromium.org
Labels: Proj-GN-Migration
Status: Assigned (was: Untriaged)

Comment 2 by jochen@chromium.org, Jun 6 2016

Status: WontFix (was: Assigned)
For better or worse, this is expected. V8 completely ignores the C++ requirements for object lifetime cycles, and there's not much we can do about this short of rewriting the entire project.

Comment 3 by krasin@chromium.org, Jun 6 2016 

This sounds rather dangerous, as the compiler is free to generate the code that will break V8.

But I guess it's really up to the V8 team to decide the importance of the issue.

Comment 4 by krasin@chromium.org, Jun 6 2016

Blocking: 616870

Sign in to add a comment