Stack-overflow in v8::internal::Invoke |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5788147842809856 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffe78ae2638 Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::internal::Object::GetPropertyWithDefinedGetter Regressed: V8: r39438:39439 Minimized Testcase (0.68 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96IMgleruTXg60QQ8MNakHANRoa9PJp_D05M_yAc643Muh6S_TrXHEEPLT84BVYxi36sO_MxPyBefcEyDl4RLHG8hC-uQmOrHqJxtHG9inpEEK-LKQLsUidwZcKqtRGMFzdrvFOWFkvyzDmtq0o3EMVbSvyTQ?testcase_id=5788147842809856 Issue manually filed by: rossberg See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 24 2016
Seems to be related to inlining a function that contains a tail-call. The following is the reduction I am currently working with ...
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc --harmony-tailcalls --ignition-staging --turbo --always-opt
function f1(o, extra) {
"use strict";
return Reflect.set(o);
}
function g() {
gc();
var p = new Proxy({}, {});
function f2() { return f1(p) }
p.__defineGetter__("x", f2);
p.x;
};
g();
g();
,
Oct 24 2016
Unrelated to inlining. This is the further reduced repro ...
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --harmony-tailcalls --ignition-staging --turbo
function f(o, extra) {
"use strict";
return Reflect.set({});
}
function g() {
function h() { return f() + 1 }
h();
};
g();
%OptimizeFunctionOnNextCall(f);
g();
,
Oct 25 2016
This was introduced by 6d51bab3d227bdc1d0910776fcd5b3f72948da02 originally. I have another repro which doesn't require Ignition at all where the tail call within {f} causes the stack-pointer to be bumped by one slot on every call due to an off-by-one. Ignition is just really good at discovering that the stack-pointer is off and flushes this out. Will cook up a fix tomorrow.
,
Oct 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/2ab2ec224324d0a9e59e100d53a55394dc57ea12 commit 2ab2ec224324d0a9e59e100d53a55394dc57ea12 Author: mstarzinger <mstarzinger@chromium.org> Date: Wed Oct 26 12:48:42 2016 [turbofan] Disable bogus lowering of builtin tail-calls. The TurboFan backends currently don't support tail-calls to CPP builtins because the semantics of kJavaScriptCallArgCountRegister has different semantics for stub call descriptors versus JavaScript call descriptors. This is actually a short-coming of the backends and follow-up work will make the backends more robust in that regard to fail hard on unsupported constructs like that. This just disables the lowering creating such a tail-call. R=bmeurer@chromium.org BUG= chromium:658691 TEST=mjsunit/regress/regress-crbug-658691 Review-Url: https://codereview.chromium.org/2447383002 Cr-Commit-Position: refs/heads/master@{#40590} [modify] https://crrev.com/2ab2ec224324d0a9e59e100d53a55394dc57ea12/src/compiler/js-typed-lowering.cc [add] https://crrev.com/2ab2ec224324d0a9e59e100d53a55394dc57ea12/test/mjsunit/regress/regress-crbug-658691.js
,
Oct 26 2016
ClusterFuzz has detected this issue as fixed in range 40589:40590. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5788147842809856 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffe78ae2638 Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::internal::Object::GetPropertyWithDefinedGetter Regressed: V8: r39438:39439 Fixed: V8: r40589:40590 Minimized Testcase (0.68 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96IMgleruTXg60QQ8MNakHANRoa9PJp_D05M_yAc643Muh6S_TrXHEEPLT84BVYxi36sO_MxPyBefcEyDl4RLHG8hC-uQmOrHqJxtHG9inpEEK-LKQLsUidwZcKqtRGMFzdrvFOWFkvyzDmtq0o3EMVbSvyTQ?testcase_id=5788147842809856 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 26 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by rossberg@chromium.org
, Oct 24 2016Status: Assigned (was: Untriaged)