IsNumber() in objects-inl.h |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4709921473167360 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_turbo_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: IsNumber() in objects-inl.h Sanitizer: address (ASAN) Regressed: V8: 42491:42492 Minimized Testcase (4.62 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94rI0UFQmPjVA_b7MBJa_DZWL8hJJpUiCyjYnFii71IzhorSLKk8PL6OCB93g4Pl1X_stImZoJUwpkPdGm7CBDbAyiTQ_0TJ4ieXEOvwegGElNx5Fk4vwqSA0oixV8v12vsw0uzEfq_mvAEHg37qfbpJ20L8u1a1_P00vW8AiTGewGufvlXnbs3qEbIsWxOuMg5CwcUIk0ScnRq5I7tjqbES6gNT1u0KGKsGSpgxzuawIs8ABnI3-bE2wfzC-WKNTDPfPp74Vrh4lQhf09lPaG7pKonKLPGfs4x5engYZ-3mLOtw6YWmBahUZeJRaeT5tEDS5AlyYxiQKtp5xfRKhXqOPznaokK1pEGVvgZQYM0E9LDkcc?testcase_id=4709921473167360 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 20 2017
The crash seems to be triggered by my CL by accident. I can reproduce it locally, but only with that specific --gc-interval=330.
It's probably related to recent changes in the JSArrayIterator. The crash itself is at the commented line:
void JSArrayIterator::JSArrayIteratorVerify() {
CHECK(IsJSArrayIterator());
JSObjectVerify();
CHECK(object()->IsJSReceiver() || object()->IsUndefined(GetIsolate()));
CHECK_GE(index()->Number(), 0); // <---------- Here
CHECK_LE(index()->Number(), kMaxSafeInteger);
CHECK(object_map()->IsMap() || object_map()->IsUndefined(GetIsolate()));
}
Backtrace at [0]. JSArrayIterator::index() is undefined:
(gdb) p index()
$1 = (v8::internal::Object *) 0x5f96e002311
(gdb) job index()
#undefined
Suspecting commit 9091eb19be52d695616dc76ad87c0217f7b5b2a0 [deoptimizer] Materialize array iterators in the deoptimizer. jarin@, please take a look.
[0] (gdb) bt
#0 v8::base::OS::Abort () at ../../src/base/platform/platform-posix.cc:253
#1 0x00007ffff7fb5baf in V8_Fatal (file=0x7ffff7710bb6 "../../src/objects-inl.h", line=582, format=0x7ffff7710a57 "Check failed: %s.")
at ../../src/base/logging.cc:66
#2 0x00007ffff6777241 in v8::internal::Object::Number (this=0x5f96e002311) at ../../src/objects-inl.h:582
#3 0x00007ffff70d779a in v8::internal::JSArrayIterator::JSArrayIteratorVerify (this=0x3d6e10288201) at ../../src/objects-debug.cc:872
#4 0x00007ffff70d35b8 in v8::internal::HeapObject::HeapObjectVerify (this=0x3d6e10288201) at ../../src/objects-debug.cc:194
#5 0x00007ffff70d2fad in v8::internal::Object::ObjectVerify (this=0x3d6e10288201) at ../../src/objects-debug.cc:24
#6 0x00007ffff6fc424f in v8::internal::NewSpace::Verify (this=0x555555602da0) at ../../src/heap/spaces.cc:1849
#7 0x00007ffff6f2a08f in v8::internal::Heap::Verify (this=0x5555555c1f30) at ../../src/heap/heap.cc:4801
#8 0x00007ffff6f29e59 in v8::internal::Heap::GarbageCollectionPrologue (this=0x5555555c1f30) at ../../src/heap/heap.cc:423
#9 0x00007ffff6f2d3e0 in v8::internal::Heap::CollectGarbage (this=0x5555555c1f30, collector=v8::internal::SCAVENGER,
gc_reason=v8::internal::GarbageCollectionReason::kAllocationFailure, collector_reason=0x0, gc_callback_flags=v8::kNoGCCallbackFlags)
at ../../src/heap/heap.cc:1007
#10 0x00007ffff67d631e in v8::internal::Heap::CollectGarbage (this=0x5555555c1f30, space=v8::internal::NEW_SPACE,
gc_reason=v8::internal::GarbageCollectionReason::kAllocationFailure, callbackFlags=v8::kNoGCCallbackFlags)
at ../../src/heap/heap-inl.h:682
#11 0x00007ffff6eca122 in v8::internal::Factory::NewJSObjectFromMap (this=0x5555555c1f10, map=..., pretenure=v8::internal::NOT_TENURED,
allocation_site=...) at ../../src/factory.cc:1746
#12 0x00007ffff6e49127 in v8::internal::TranslatedState::MaterializeCapturedObjectAt (this=0x55555562e390, slot=0x55555562d780,
frame_index=0, value_index=0x7fffffffbd8c) at ../../src/deoptimizer.cc:3741
#13 0x00007ffff6e4a592 in v8::internal::TranslatedState::MaterializeAt (this=0x55555562e390, frame_index=0, value_index=0x7fffffffbd8c)
at ../../src/deoptimizer.cc:3992
#14 0x00007ffff6e4f03c in v8::internal::TranslatedState::CapturedObjectMaterializer::FieldAt (this=0x7fffffffbbd0,
value_index=0x7fffffffbd8c) at ../../src/deoptimizer.cc:3626
#15 0x00007ffff6e48f75 in v8::internal::TranslatedState::MaterializeCapturedObjectAt (this=0x55555562e390, slot=0x55555562d700,
frame_index=0, value_index=0x7fffffffbd8c) at ../../src/deoptimizer.cc:3729
#16 0x00007ffff6e4a592 in v8::internal::TranslatedState::MaterializeAt (this=0x55555562e390, frame_index=0, value_index=0x7fffffffbd8c)
at ../../src/deoptimizer.cc:3992
#17 0x00007ffff6e46965 in v8::internal::TranslatedState::MaterializeObjectAt (this=0x55555562e390, object_index=0)
at ../../src/deoptimizer.cc:4026
#18 0x00007ffff6e43c18 in v8::internal::TranslatedValue::GetValue (this=0x55555562d700) at ../../src/deoptimizer.cc:2964
#19 0x00007ffff6e43a3c in v8::internal::Deoptimizer::MaterializeHeapObjects (this=0x55555562e310, it=0x7fffffffc458)
at ../../src/deoptimizer.cc:2095
#20 0x00007ffff72bdd35 in v8::internal::__RT_impl_Runtime_NotifyDeoptimized (args=..., isolate=0x5555555c1f10)
at ../../src/runtime/runtime-compiler.cc:189
#21 0x00007ffff72bd780 in v8::internal::Runtime_NotifyDeoptimized (args_length=1, args_object=0x7fffffffcdc0, isolate=0x5555555c1f10)
at ../../src/runtime/runtime-compiler.cc:159
,
Jan 20 2017
ClusterFuzz has detected this issue as fixed in range 42507:42508. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4709921473167360 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_turbo_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: IsNumber() in objects-inl.h Sanitizer: address (ASAN) Regressed: V8: 42491:42492 Fixed: V8: 42507:42508 Minimized Testcase (4.62 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94rI0UFQmPjVA_b7MBJa_DZWL8hJJpUiCyjYnFii71IzhorSLKk8PL6OCB93g4Pl1X_stImZoJUwpkPdGm7CBDbAyiTQ_0TJ4ieXEOvwegGElNx5Fk4vwqSA0oixV8v12vsw0uzEfq_mvAEHg37qfbpJ20L8u1a1_P00vW8AiTGewGufvlXnbs3qEbIsWxOuMg5CwcUIk0ScnRq5I7tjqbES6gNT1u0KGKsGSpgxzuawIs8ABnI3-bE2wfzC-WKNTDPfPp74Vrh4lQhf09lPaG7pKonKLPGfs4x5engYZ-3mLOtw6YWmBahUZeJRaeT5tEDS5AlyYxiQKtp5xfRKhXqOPznaokK1pEGVvgZQYM0E9LDkcc?testcase_id=4709921473167360 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 20 2017
I doubt this is fixed, just flaky / requires specific GC timing.
,
Jan 20 2017
I see what's going on: * The deoptimizer materializes a JSArrayIterator. * At line 3729 this leads to materializing the iterated_object, a JSArray. * The JSArray is allocated, triggering a GC and heap verification. * Heap verification kicks in for the JSArrayIterator, but it's not fully set up yet. In particular, index() is only set at line 3735.
,
Jan 20 2017
Yes, I have a fix in flight (https://codereview.chromium.org/2644283002/).
,
Jan 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/a0230f635949711e92c48d95ea4f9847dc6c62f6 commit a0230f635949711e92c48d95ea4f9847dc6c62f6 Author: jarin <jarin@chromium.org> Date: Fri Jan 20 09:22:56 2017 [deoptimizer] Initialize array iterator index to zero to make heap-verify happy. BUG= chromium:682671 Review-Url: https://codereview.chromium.org/2644283002 Cr-Commit-Position: refs/heads/master@{#42538} [modify] https://crrev.com/a0230f635949711e92c48d95ea4f9847dc6c62f6/src/deoptimizer.cc
,
Jan 20 2017
|
|||
►
Sign in to add a comment |
|||
Comment 1 by hablich@chromium.org
, Jan 19 2017Status: Assigned (was: Untriaged)