Crash in v8::internal::NewSpace::Verify |
|||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6096882665521152 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: v8::internal::NewSpace::Verify v8::internal::Heap::Verify v8::internal::Heap::GarbageCollectionPrologue Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_dbg&range=36804:36805 Minimized Testcase (10.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96IaZAyjCWq861CqiG_InpHcG92amjKFfazH8i7w2o0oHk_fAFzN3pY6NaJhUsMv99eBdRIj-4r6f8L06RyVH-AcSQraNzhk4Ocp706xScf_oYnbBbC1yDBlSBcafDOdfwD2uho3-iUh6fnoHafjrS4k9Dxlw?testcase_id=6096882665521152 Filer: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 21 2016
--no-use-allocation-folding fixes the issue. It's probably related to issue 619406 as it also crashes during newspace verification.
,
Jun 29 2016
It actually bisects to a recent crankshaft change https://chromium.googlesource.com/v8/v8/+/f576e29c475d104d93176042d2a79066ad8f638c%5E%21 Benedikt, can you have a look?
,
Jul 6 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6096882665521152 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: v8::internal::NewSpace::Verify v8::internal::Heap::Verify v8::internal::Heap::GarbageCollectionPrologue Regressed: V8: r36804:36805 Minimized Testcase (10.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96IaZAyjCWq861CqiG_InpHcG92amjKFfazH8i7w2o0oHk_fAFzN3pY6NaJhUsMv99eBdRIj-4r6f8L06RyVH-AcSQraNzhk4Ocp706xScf_oYnbBbC1yDBlSBcafDOdfwD2uho3-iUh6fnoHafjrS4k9Dxlw?testcase_id=6096882665521152 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 12 2016
Cannot reproduce this one. Trying to let Clusterfuzz come up with a minimized repro case. My guess is that the change exposes a bug in the allocation logic in Crankshaft, because clearing the kAllowUndefinedAsNaN itself is not related to the GC. From the crash info on clusterfuzz it looks like the map word is Smi zero.
,
Aug 16 2016
Jaro, can you take a look?
,
Aug 31 2016
It's a bug in Crankshafts new allocation folding algorithm. I'm going to disable the broken part.
,
Aug 31 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/7b79224b21a23dfcd44b820c51d9f094b943b862 commit 7b79224b21a23dfcd44b820c51d9f094b943b862 Author: bmeurer <bmeurer@chromium.org> Date: Wed Aug 31 09:48:00 2016 [crankshaft] Disable further folding already folded allocations. When we try to further fold previously folded allocations in Crankshaft GVN we don't properly transform the allocations involved, which causes the mechanism to leave holes in the new/old space (and thereby violate the iterability property of the new/old space). BUG= chromium:621868 R=jarin@chromium.org Review-Url: https://codereview.chromium.org/2297983003 Cr-Commit-Position: refs/heads/master@{#39040} [modify] https://crrev.com/7b79224b21a23dfcd44b820c51d9f094b943b862/src/crankshaft/hydrogen-instructions.cc [modify] https://crrev.com/7b79224b21a23dfcd44b820c51d9f094b943b862/src/crankshaft/hydrogen-instructions.h [add] https://crrev.com/7b79224b21a23dfcd44b820c51d9f094b943b862/test/mjsunit/regress/regress-crbug-621868.js
,
Aug 31 2016
,
Sep 1 2016
ClusterFuzz has detected this issue as fixed in range 39039:39040. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6096882665521152 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: v8::internal::NewSpace::Verify v8::internal::Heap::Verify v8::internal::Heap::GarbageCollectionPrologue Regressed: V8: r36804:36805 Fixed: V8: r39039:39040 Minimized Testcase (10.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94WF6iEyBvdDo53Chd5v9n2Yhu2joWqQBaZEFeTbiXpN6yPkCYtoq1FpkI4OYWJQJCV6eFmJj3WYe7owZowTXoPBAQkvdw3lcOdm9Z2-mqkovj6SZLz6mN9xjsUxOrU9-zwV4uAHxCfBaQmeRNkWPAbWe6RAA?testcase_id=6096882665521152 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 14 2016
I suspect that this is causing hard-to-diagnose crashes in the wild. Please back-merge to V8 5.4. Data point: certain patterns of "Invoke" crashes disappear entirely or become much less frequent after 2845, which is where the above fix (#8) landed, e.g.: https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.url.simplified%3D%27https%3A%2F%2Fwww.tradingview.com%2F*%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8%3A%3Ainternal%3A%3A%60anonymous%20namespace%5C%27%3A%3AInvoke%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,productversion:1000
,
Oct 14 2016
[Automated comment] Less than 2 weeks to go before stable on M54, manual review required.
,
Oct 17 2016
,
Oct 17 2016
,
Oct 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/554050f11100718cf70d6627f6f06c5249c89048 commit 554050f11100718cf70d6627f6f06c5249c89048 Author: Benedikt Meurer <bmeurer@google.com> Date: Tue Oct 18 04:10:35 2016 Merged: [crankshaft] Disable further folding already folded allocations. Revision: 7b79224b21a23dfcd44b820c51d9f094b943b862 BUG= chromium:621868 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true TBR=jarin@chromium.org Review URL: https://codereview.chromium.org/2424333002 . Cr-Commit-Position: refs/branch-heads/5.4@{#63} Cr-Branched-From: 5ce282769772d94937eb2cb88eb419a6890c8b2d-refs/heads/5.4.500@{#2} Cr-Branched-From: ad07b49d7b47b40a2d6f74d04d1b76ceae2a0253-refs/heads/master@{#38841} [modify] https://crrev.com/554050f11100718cf70d6627f6f06c5249c89048/src/crankshaft/hydrogen-instructions.cc [modify] https://crrev.com/554050f11100718cf70d6627f6f06c5249c89048/src/crankshaft/hydrogen-instructions.h [add] https://crrev.com/554050f11100718cf70d6627f6f06c5249c89048/test/mjsunit/regress/regress-crbug-621868.js
,
Oct 20 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 20 2016
Merge done, see #15.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by ishell@chromium.org
, Jun 21 2016Status: Assigned (was: Available)