New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 682180 link

Starred by 1 user
Status: Verified
Owner:
ahaas@chromium.org
Closed: Feb 2017
Cc:
msrchandra@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

Disposing the isolate that is entered by a thread in wasm-code.cc

Project Member Reported by ClusterFuzz, Jan 18 2017

Comment 1 by msrchandra@chromium.org, Jan 18 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Wrong
Owner: ahaas@chromium.org
Status: Assigned (was: Untriaged)
Find it and CL did not provide any possible suspects.
Using Code Search for the file, "wasm-code.cc" assigning to the concern owner.

Suspecting Commit#
https://chromium.googlesource.com/v8/v8/+/a686de07b12b55ba919a75bfa0f1e1728c440c18

@ahaas -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by ahaas@chromium.org, Feb 1 2017

Labels: -Pri-1 Pri-3
Status: Started (was: Assigned)
This issue is a bug in the fuzzer, not a bug in the tested code. The fuzzer compares the output of the wasm interpreter with the output of the compiled wasm code. In the testcase, a calculation results in a non-deterministic NaN bit pattern (i.e. the bit pattern is different in interpreted code than in the compiled code), which is then observed by a reinterpret cast to int. 

In other words, the wasm spec allows non-deterministic results for the test case, and there the results of both the wasm interpreter and the wasm compiled code are correct although they are different. I have to change the fuzzer so that the results are not compared in this case.
Project Member

Comment 3 by ClusterFuzz, Feb 7 2017 

ClusterFuzz has detected this issue as fixed in range 448235:448242.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5845846303440896

Fuzzer: libfuzzer_v8_wasm_code_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Disposing the isolate that is entered by a thread in wasm-code.cc
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=427885:428085
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=448235:448242

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97pvQzYgXSZdWVmTyqcueoFPMPcAoKTbCFh5CrcBibIjUOce2GIJIuhjqgj6eVHjCLlwxkxlEmdjlSQ8Kl1q5DN0jC_U2aZupeFE_Ru5NZfFNbdvUhiPiIPDojPIFIiz-RxJFndXRWM3Y-VKBpUhVxMvBEzr5nxPvj7ogrNKcIjZ9ivg5Ufu82h0Rrx6AjJpL2HJREVqUEjaE6ofuI0wTCYLX1o5dYpYkOaHcuXTc3_kUOw2LpbqhldlOZk76PjgHIWiVTXOG4bxIA-lNsA2fUmX4M1vTtBqzbzr9SujvxevTLXGWXJrHtGJuwpYUEvVMFLS4AQHnsoD8Kz_JH3YyLY8nWCx8LuTj_vR424k4tCBV_rI-o?testcase_id=5845846303440896


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Feb 7 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5845846303440896 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment