New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 667678 link

Starred by 6 users

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug

Blocking:
issue v8:4203
issue 663714


Participants' hotlists:
Hotlist-AsmJsParser


Sign in to add a comment

Differences between fullcode and validate_asm: function string representation

Project Member Reported by machenb...@chromium.org, Nov 22 2016

Issue description

If this is WAI it will make output suppression harder.

function foo() {
  "use asm";
  function bar(a, b) {
    a=+(a);
    b=+(b);
  }
  return {bar: bar };
}
print(foo().bar.toLocaleString());


# Compared fullcode with validate_asm

# Flags of fullcode:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging  --random-seed 2104937600 --nocrankshaft --turbo-filter=~
# Flags of validate_asm:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging  --random-seed 2104937600 --validate-asm

Difference:
- function bar(a, b) {
+ function bar() { [native code] }

### Start of configuration fullcode:
function bar(a, b) {
    a=+(a);
    b=+(b);
  }

### End of configuration fullcode

### Start of configuration validate_asm:
function bar() { [native code] }

### End of configuration validate_asm

 
Cc: bradnelson@chromium.org
Components: Blink>JavaScript>WebAssembly
Status: Available (was: Untriaged)
Owner: bradnelson@chromium.org
This is happening because we're not properly connecting the source for a wasm function with it's asm.js source text for toString.

Comment 3 by clemensh@google.com, Nov 28 2016

Right. So we need to attach two things to the SharedFunctionInfo we create for exported wasm functions:
1) the script (easy, we have it on the WasmCompiledModule)
2) start and end position of the function.

Nr 2 is not so easy, we need to remember this somewhere in the AsmWasmBuilder, carry it over to the WasmCompiledModule and use it on instantiation (similar to the original source positions).
Feel free to assign this to me.

Comment 4 by titzer@chromium.org, Nov 28 2016

I just commented on https://codereview.chromium.org/2398023002/,

I think we should save the SharedFunctionInfos that are created during parsing of asm.js in a side table that is somehow passed to the WASM backend.
Labels: v8-foozzie-failure
Status: Assigned (was: Available)
Labels: -Needs-Feedback
Blocking: v8:4203
 Issue 681272  has been merged into this issue.
Project Member

Comment 10 by bugdroid1@chromium.org, Jan 17 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/dd9cf43ef2fec61a04ba5c9c1030fb307077fc75

commit dd9cf43ef2fec61a04ba5c9c1030fb307077fc75
Author: machenbach <machenbach@chromium.org>
Date: Tue Jan 17 10:10:03 2017

[foozzie] Suppress native function string representation

BUG=chromium:667678
NOTRY=true
TBR=titzer@chromium.org,bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2633313002
Cr-Commit-Position: refs/heads/master@{#42392}

[modify] https://crrev.com/dd9cf43ef2fec61a04ba5c9c1030fb307077fc75/tools/foozzie/v8_suppressions.py

 Issue 681367  has been merged into this issue.
 Issue 681502  has been merged into this issue.
 Issue 681532  has been merged into this issue.
Project Member

Comment 14 by ClusterFuzz, Jan 17 2017

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6444033242300416

Fuzzer: foozzie_js_mutation
Job Type: foozzie_ignition_staging
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  suppression: crbug.com/667678
  
Sanitizer: address (ASAN)

Regressed: V8: r42391:42392

Minimized Testcase (0.15 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97g00Xh8x-UiH3kGMPMu9AGLcVrzl8QJg8UoBQjAeMBxf3t2IdZhgveBjk66OIeG_-HP6ULswd8UfnGYHK4Cv4iPAsg-qRF_QBwiF4obPYhTvMg3KKsnaDIabYDAsRUG5KOqKtJqzbjBJP3EuyU1OH0K9DPF4GINKxZOYqyxWIQiF47Kmo-CQpQ-Y-iBsLg1lD2fdbv5wUOzLCJWiBrYe9JgkX6XZ64dC1AXhCLCJAoHyQS0eAbesD6tcK46m-w3Zb4pCcXpyrAINJ79vt-AL63uexndjcIHDhoTMZY-9QUM7fFVzP2gkpVY6oVWqdHUHzMjtTPfU7ssItcbe0ByPm5mRb9KpnJoUSuZCk6iz7tm8bS66I?testcase_id=6444033242300416
function classOf() {
  switch (typeof value) {
    case "function":
  }
}
function __PrettyPrintArrayElement() {
}
__v_0 = [ Uint8ClampedArray];
print(__v_0);


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Labels: -Pri-2 Hotlist-Asm Pri-3
Project Member

Comment 16 by ClusterFuzz, Jan 18 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5280655383724032 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Labels: ClusterFuzz-Wrong
Status: Assigned (was: Verified)
Project Member

Comment 18 by ClusterFuzz, Feb 4 2017

ClusterFuzz has detected this issue as fixed in range 42931:42932.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6444033242300416

Fuzzer: foozzie_js_mutation
Job Type: foozzie_ignition_staging
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  suppression: crbug.com/667678
  
Sanitizer: address (ASAN)

Regressed: V8: 42391:42392
Fixed: V8: 42931:42932

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97g00Xh8x-UiH3kGMPMu9AGLcVrzl8QJg8UoBQjAeMBxf3t2IdZhgveBjk66OIeG_-HP6ULswd8UfnGYHK4Cv4iPAsg-qRF_QBwiF4obPYhTvMg3KKsnaDIabYDAsRUG5KOqKtJqzbjBJP3EuyU1OH0K9DPF4GINKxZOYqyxWIQiF47Kmo-CQpQ-Y-iBsLg1lD2fdbv5wUOzLCJWiBrYe9JgkX6XZ64dC1AXhCLCJAoHyQS0eAbesD6tcK46m-w3Zb4pCcXpyrAINJ79vt-AL63uexndjcIHDhoTMZY-9QUM7fFVzP2gkpVY6oVWqdHUHzMjtTPfU7ssItcbe0ByPm5mRb9KpnJoUSuZCk6iz7tm8bS66I?testcase_id=6444033242300416


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 20 by ClusterFuzz, Feb 10 2017

ClusterFuzz has detected this issue as fixed in range 43051:43052.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5264109659750400

Fuzzer: foozzie_js_mutation
Job Type: foozzie_ignition_x64_ia32
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  suppression: crbug.com/667678
  
Sanitizer: address (ASAN)

Fixed: V8: 43051:43052

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97NOVPodIsk_-88xODS1IBoml9bmdValCUBriWvSebxYG9gmsQ9ndff2TzOYJfrju8LiGjo3eIJ5TDhgmkRVA0ZhbRqBiJkfTIm1APKFJEiLYeQpaWWWxdNiGZp8dHX6fbAN7lju_PcEc00bkI5fZvfsAEPeinMJTQdCef23uI2gf8Lp7KIi5PV9v3S_qhZhplZwGvqrQba3eyNqBP4KccUlb6yRk8iP56y5IYfjanzSiwSCQpuAMv_SLc5q8CqSjWNwhw34wPbvNU41eAR6dYHabXGBuVC5azjSvETtm7Y2ZiSo5H9q0j4gCypE4uOHKj1hGSHUbzyJ_OSWIK6DWevX38p8nsuEaPvjDrpDltSEwhofZfQyNgyELcHqR8iSEfU-B3X1s7RLq2htqDv3J0qBxdelg?testcase_id=5264109659750400


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 21 by ClusterFuzz, Mar 16 2017

Labels: OS-Linux
Labels: -ClusterFuzz-Wrong
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.
Owner: mstarzinger@chromium.org
I'll hold this for a second. :)
Should we close this one as fixed?

Comment 25 by machenbach@google.com, Jan 17 (6 days ago)

Is this actually fixed or just suppressed? The suppression still exists:
https://cs.chromium.org/chromium/src/v8/tools/clusterfuzz/v8_suppressions.py?l=86

Comment 26 by machenbach@google.com, Jan 17 (6 days ago)

Also, the suppression is hit: https://clusterfuzz.com/testcase-detail/6598602245537792

Comment 27 by mstarzinger@chromium.org, Jan 17 (6 days ago)

I don't think this is fixed. The [[toString]] conversion of a function within an asm.js module does not return the original source string. However this is low priority AFAICT (i.e. priority 3 is accurate) and I don't expect us to make any notable progress on this anytime soon.

Sign in to add a comment