Differences between fullcode and validate_asm: function string representation |
||||||||||||
Issue description
If this is WAI it will make output suppression harder.
function foo() {
"use asm";
function bar(a, b) {
a=+(a);
b=+(b);
}
return {bar: bar };
}
print(foo().bar.toLocaleString());
# Compared fullcode with validate_asm
# Flags of fullcode:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 2104937600 --nocrankshaft --turbo-filter=~
# Flags of validate_asm:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 2104937600 --validate-asm
Difference:
- function bar(a, b) {
+ function bar() { [native code] }
### Start of configuration fullcode:
function bar(a, b) {
a=+(a);
b=+(b);
}
### End of configuration fullcode
### Start of configuration validate_asm:
function bar() { [native code] }
### End of configuration validate_asm
,
Nov 28 2016
This is happening because we're not properly connecting the source for a wasm function with it's asm.js source text for toString.
,
Nov 28 2016
Right. So we need to attach two things to the SharedFunctionInfo we create for exported wasm functions: 1) the script (easy, we have it on the WasmCompiledModule) 2) start and end position of the function. Nr 2 is not so easy, we need to remember this somewhere in the AsmWasmBuilder, carry it over to the WasmCompiledModule and use it on instantiation (similar to the original source positions). Feel free to assign this to me.
,
Nov 28 2016
I just commented on https://codereview.chromium.org/2398023002/, I think we should save the SharedFunctionInfos that are created during parsing of asm.js in a side table that is somehow passed to the WASM backend.
,
Dec 13 2016
,
Jan 16 2017
,
Jan 16 2017
,
Jan 16 2017
,
Jan 16 2017
Issue 681272 has been merged into this issue.
,
Jan 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/dd9cf43ef2fec61a04ba5c9c1030fb307077fc75 commit dd9cf43ef2fec61a04ba5c9c1030fb307077fc75 Author: machenbach <machenbach@chromium.org> Date: Tue Jan 17 10:10:03 2017 [foozzie] Suppress native function string representation BUG=chromium:667678 NOTRY=true TBR=titzer@chromium.org,bradnelson@chromium.org Review-Url: https://codereview.chromium.org/2633313002 Cr-Commit-Position: refs/heads/master@{#42392} [modify] https://crrev.com/dd9cf43ef2fec61a04ba5c9c1030fb307077fc75/tools/foozzie/v8_suppressions.py
,
Jan 17 2017
Issue 681367 has been merged into this issue.
,
Jan 17 2017
Issue 681502 has been merged into this issue.
,
Jan 17 2017
Issue 681532 has been merged into this issue.
,
Jan 17 2017
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6444033242300416 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: suppression: crbug.com/667678 Sanitizer: address (ASAN) Regressed: V8: r42391:42392 Minimized Testcase (0.15 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97g00Xh8x-UiH3kGMPMu9AGLcVrzl8QJg8UoBQjAeMBxf3t2IdZhgveBjk66OIeG_-HP6ULswd8UfnGYHK4Cv4iPAsg-qRF_QBwiF4obPYhTvMg3KKsnaDIabYDAsRUG5KOqKtJqzbjBJP3EuyU1OH0K9DPF4GINKxZOYqyxWIQiF47Kmo-CQpQ-Y-iBsLg1lD2fdbv5wUOzLCJWiBrYe9JgkX6XZ64dC1AXhCLCJAoHyQS0eAbesD6tcK46m-w3Zb4pCcXpyrAINJ79vt-AL63uexndjcIHDhoTMZY-9QUM7fFVzP2gkpVY6oVWqdHUHzMjtTPfU7ssItcbe0ByPm5mRb9KpnJoUSuZCk6iz7tm8bS66I?testcase_id=6444033242300416 function classOf() { switch (typeof value) { case "function": } } function __PrettyPrintArrayElement() { } __v_0 = [ Uint8ClampedArray]; print(__v_0); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 18 2017
,
Jan 18 2017
ClusterFuzz testcase 5280655383724032 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 18 2017
,
Feb 4 2017
ClusterFuzz has detected this issue as fixed in range 42931:42932. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6444033242300416 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: suppression: crbug.com/667678 Sanitizer: address (ASAN) Regressed: V8: 42391:42392 Fixed: V8: 42931:42932 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97g00Xh8x-UiH3kGMPMu9AGLcVrzl8QJg8UoBQjAeMBxf3t2IdZhgveBjk66OIeG_-HP6ULswd8UfnGYHK4Cv4iPAsg-qRF_QBwiF4obPYhTvMg3KKsnaDIabYDAsRUG5KOqKtJqzbjBJP3EuyU1OH0K9DPF4GINKxZOYqyxWIQiF47Kmo-CQpQ-Y-iBsLg1lD2fdbv5wUOzLCJWiBrYe9JgkX6XZ64dC1AXhCLCJAoHyQS0eAbesD6tcK46m-w3Zb4pCcXpyrAINJ79vt-AL63uexndjcIHDhoTMZY-9QUM7fFVzP2gkpVY6oVWqdHUHzMjtTPfU7ssItcbe0ByPm5mRb9KpnJoUSuZCk6iz7tm8bS66I?testcase_id=6444033242300416 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 6 2017
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5264109659750400 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_x64_ia32 Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: suppression: crbug.com/667678 Sanitizer: address (ASAN) Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97NOVPodIsk_-88xODS1IBoml9bmdValCUBriWvSebxYG9gmsQ9ndff2TzOYJfrju8LiGjo3eIJ5TDhgmkRVA0ZhbRqBiJkfTIm1APKFJEiLYeQpaWWWxdNiGZp8dHX6fbAN7lju_PcEc00bkI5fZvfsAEPeinMJTQdCef23uI2gf8Lp7KIi5PV9v3S_qhZhplZwGvqrQba3eyNqBP4KccUlb6yRk8iP56y5IYfjanzSiwSCQpuAMv_SLc5q8CqSjWNwhw34wPbvNU41eAR6dYHabXGBuVC5azjSvETtm7Y2ZiSo5H9q0j4gCypE4uOHKj1hGSHUbzyJ_OSWIK6DWevX38p8nsuEaPvjDrpDltSEwhofZfQyNgyELcHqR8iSEfU-B3X1s7RLq2htqDv3J0qBxdelg?testcase_id=5264109659750400 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Feb 10 2017
ClusterFuzz has detected this issue as fixed in range 43051:43052. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5264109659750400 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_x64_ia32 Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: suppression: crbug.com/667678 Sanitizer: address (ASAN) Fixed: V8: 43051:43052 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97NOVPodIsk_-88xODS1IBoml9bmdValCUBriWvSebxYG9gmsQ9ndff2TzOYJfrju8LiGjo3eIJ5TDhgmkRVA0ZhbRqBiJkfTIm1APKFJEiLYeQpaWWWxdNiGZp8dHX6fbAN7lju_PcEc00bkI5fZvfsAEPeinMJTQdCef23uI2gf8Lp7KIi5PV9v3S_qhZhplZwGvqrQba3eyNqBP4KccUlb6yRk8iP56y5IYfjanzSiwSCQpuAMv_SLc5q8CqSjWNwhw34wPbvNU41eAR6dYHabXGBuVC5azjSvETtm7Y2ZiSo5H9q0j4gCypE4uOHKj1hGSHUbzyJ_OSWIK6DWevX38p8nsuEaPvjDrpDltSEwhofZfQyNgyELcHqR8iSEfU-B3X1s7RLq2htqDv3J0qBxdelg?testcase_id=5264109659750400 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 16 2017
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.
,
Oct 2 2017
I'll hold this for a second. :)
,
Jan 16
Should we close this one as fixed?
,
Jan 17
(6 days ago)
Is this actually fixed or just suppressed? The suppression still exists: https://cs.chromium.org/chromium/src/v8/tools/clusterfuzz/v8_suppressions.py?l=86
,
Jan 17
(6 days ago)
Also, the suppression is hit: https://clusterfuzz.com/testcase-detail/6598602245537792
,
Jan 17
(6 days ago)
I don't think this is fixed. The [[toString]] conversion of a function within an asm.js module does not return the original source string. However this is low priority AFAICT (i.e. priority 3 is accurate) and I don't expect us to make any notable progress on this anytime soon. |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by hablich@chromium.org
, Nov 22 2016Components: Blink>JavaScript>WebAssembly
Status: Available (was: Untriaged)