New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 664793 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Nov 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in v8::internal::StoreBuffer::MoveEntriesToRememberedSet

Project Member Reported by ClusterFuzz, Nov 13 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5967031234199552

Fuzzer: decoder_langfuzz
Job Type: linux_asan_chrome_v8_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000048
Crash State:
  v8::internal::StoreBuffer::MoveEntriesToRememberedSet
  v8::internal::StoreBuffer::Task::RunInternal
  v8::platform::WorkerThread::Run
  
Regressed: V8: r40912:40940

Minimized Testcase (4.86 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ckQP4x9hayI-3GkFm-5aaVeXabotnDSrzSxx-2KS9MIcQrKhEeTB5K_xol57qOjTY0C0HbeUfVoPP4fG0LVLqTsyeipagvMnHqxKZ74FSwnXPhTKWiJbn0y169IWVuu1QP0R2bm1CJ6uBBhCZUbJuA-tuFg?testcase_id=5967031234199552

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by titzer@chromium.org, Nov 14 2016

Owner: mlippautz@chromium.org
Status: Assigned (was: Untriaged)
mlippautz@, can you please take a look? One of your recent CLs (https://chromium.googlesource.com/v8/v8/+/df5b86de4cc3115b849d3c40d12637ce39131ed7) was in the bisection range.
Cc: mlippautz@chromium.org
Owner: hpayer@chromium.org
My CL is still a noop. 

Rather suspecting concurrent store buffer landing in a9e6bbba263c98090f96bb0dccff09d8ffb86c0a :)

Comment 3 by hpayer@chromium.org, Nov 14 2016

Cc: machenb...@chromium.org
Status: Started (was: Assigned)

Comment 4 by hpayer@chromium.org, Nov 14 2016

Release mode only repro, gdb:

Thread 2 (Thread 0x7ffff1f49700 (LWP 4724)):
#0  0x00005555567be42a in Acquire_Load () at ../../src/base/atomicops_internals_portable.h:165
#1  Value () at ../../src/base/atomic-utils.h:119
#2  old_to_new_slots () at ../../src/heap/spaces.h:442
#3  GetSlotSet () at ../../src/heap/remembered-set.h:212
#4  Insert () at ../../src/heap/remembered-set.h:26
#5  MoveEntriesToRememberedSet () at ../../src/heap/store-buffer.cc:118
#6  0x00005555567be761 in ConcurrentlyProcessStoreBuffer () at ../../src/heap/store-buffer.cc:136
#7  RunInternal () at ../../src/heap/store-buffer.h:98
#8  0x000055555770735d in v8::platform::WorkerThread::Run() ()
    at ../../src/libplatform/worker-thread.cc:26
#9  0x00005555576f2c4e in NotifyStartedAndRun () at ../../src/base/platform/platform.h:504
#10 ThreadEntry () at ../../src/base/platform/platform-posix.cc:582
#11 0x00007ffff7243184 in start_thread (arg=0x7ffff1f49700) at pthread_create.c:312
#12 0x00007ffff6d5a37d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 1 (Thread 0x7ffff7fc17c0 (LWP 4721)):
#0  0x00005555566d9be0 in NoBarrier_Load () at ../../src/base/atomicops_internals_portable.h:161
#1  map_word () at ../../src/objects-inl.h:1420
#2  map () at ../../src/objects-inl.h:1377
#3  IsFiller () at ../../src/objects-inl.h:663
#4  ProcessMarkingDeque () at ../../src/heap/incremental-marking.cc:881
#5  Step () at ../../src/heap/incremental-marking.cc:1137
#6  0x00005555566dadd1 in AdvanceIncrementalMarkingOnAllocation ()
    at ../../src/heap/incremental-marking.cc:1105
#7  0x00005555567b8615 in AllocationStep () at ../../src/heap/heap.h:2618
#8  AllocationStep () at ../../src/heap/spaces.cc:1167
#9  AllocateRaw () at ../../src/heap/spaces.cc:3000
#10 0x0000555556615ee1 in AllocateRaw () at ../../src/heap/heap-inl.h:328
#11 0x00005555566b73d9 in AllocateRawFixedArray () at ../../src/heap/heap.cc:3888
#12 AllocateUninitializedFixedArray () at ../../src/heap/heap.cc:3931
#13 0x00005555565d3beb in NewUninitializedFixedArray () at ../../src/factory.cc:154
#14 0x000055555654c9e6 in ConvertElementsWithCapacity () at ../../src/elements.cc:813
#15 ConvertElementsWithCapacity () at ../../src/elements.cc:792
#16 GrowCapacity () at ../../src/elements.cc:925
#17 0x0000555556d0326c in __RT_impl_Runtime_GrowArrayElements ()

Comment 5 by hpayer@chromium.org, Nov 14 2016

Confirmed bisect to:

commit a9e6bbba263c98090f96bb0dccff09d8ffb86c0a
Author: hpayer <hpayer@chromium.org>
Date:   Fri Nov 11 06:00:55 2016 -0800

    [heap] Reland concurrent store buffer processing.
    
    BUG=chromium:648973,  chromium:648568 
    
    Review-Url: https://codereview.chromium.org/2493083003
    Cr-Commit-Position: refs/heads/master@{#40928}

Comment 6 by hpayer@chromium.org, Nov 16 2016

...
insert 0x7f4449b7ef68 0x7f4443200048
insert done 0x7f4449b7ef68
insert 0x7f4449b7ef70 0x7f4443200048
insert done 0x7f4449b7ef70
insert 0x7f4449b7ef78 0x48
ASAN:DEADLYSIGNAL

We are trying to add an entry to a slot set of address 0x48. Right before, the address of the slot set was still ok.

Comment 7 by hpayer@chromium.org, Nov 16 2016

It seems to be the slot was part of a large object that gets uncommitted.

...insert 0x7fffbb500010 0x7fffb4b80000 0x7fffb4b80048
insert done 0x7fffbb500010
insert 0x7fffbb500018 0x7fffb4b80000 0x7fffb4b80048
insert done 0x7fffbb500018
insert 0x7fffbb500020 0x7fffb4b80000 0x7fffb4b80048
insert done 0x7fffbb500020
insert 0x7fffbb500028 (nil) 0x48

Comment 8 by hpayer@chromium.org, Nov 16 2016

The chunk_map_ of large objects gets resized while inserting entries. That is bad.
Status: Fixed (was: Started)
Project Member

Comment 11 by ClusterFuzz, Nov 17 2016

ClusterFuzz has detected this issue as fixed in range 41032:41054.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5967031234199552

Fuzzer: decoder_langfuzz
Job Type: linux_asan_chrome_v8_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000048
Crash State:
  v8::internal::StoreBuffer::MoveEntriesToRememberedSet
  v8::internal::StoreBuffer::Task::RunInternal
  v8::platform::WorkerThread::Run
  
Regressed: V8: r40912:40940
Fixed: V8: r41032:41054

Minimized Testcase (4.86 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ckQP4x9hayI-3GkFm-5aaVeXabotnDSrzSxx-2KS9MIcQrKhEeTB5K_xol57qOjTY0C0HbeUfVoPP4fG0LVLqTsyeipagvMnHqxKZ74FSwnXPhTKWiJbn0y169IWVuu1QP0R2bm1CJ6uBBhCZUbJuA-tuFg?testcase_id=5967031234199552

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment