New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 708457 link

Starred by 2 users
Status: Fixed
Owner:
clemensh@chromium.org
Closed: Apr 2017
Cc:
ahaas@chromium.org
msrchandra@chromium.org
adamk@chromium.org
titzer@chromium.org
dschuff@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Fatal error in

Project Member Reported by ClusterFuzz, Apr 5 2017

Comment 1 by msrchandra@chromium.org, Apr 5 2017

Cc: msrchandra@chromium.org
Components: Blink>JavaScript
Labels: Test-Predator-Correct-CLs M-59
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: Clemens Hammacher
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/701124db95b1267af189746bb24854dbe0258e77
Time: Fri Mar 31 08:29:02 2017
File wasm-interpreter.cc is changed in this cl (and is part of stack frame #5, "v8::internal::wasm::"; frame #6, "v8::internal::wasm::"; frame #7, "v8::internal::wasm::"; frame #8, "v8::internal::wasm::")
Minimum distance from crash line to modified line: 5. (file: wasm-interpreter.cc, crashed on: 1735, modified: 1730).

@clemensh -- Could you please take a look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by clemensh@chromium.org, Apr 6 2017

Cc: ahaas@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>WebAssembly
Yes, recent changes to the interpreter disabled the implicit abortion after 1000 interpreted steps, making the interpreter now either run infinitely or reaching the stack limit.

I will work on this when I have free cycles.

Comment 3 by clemensh@chromium.org, Apr 6 2017

Status: Started (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, Apr 6 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/82fa48ad04c56b87bb095f2593e17c93e94b8119

commit 82fa48ad04c56b87bb095f2593e17c93e94b8119
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Thu Apr 06 13:58:22 2017

[wasm] [interpreter] Refactor Run()/Step() interface

The Run() method ran in chunks of {kRunSteps} steps till completion or
breakpoint, while Step() executed exactly one step.
This CL removes the {kRunSteps} concept, and instead allows to pass the
number of steps to run to the Run() method. Step() just calls Run(1).

R=ahaas@chromium.org
BUG= chromium:708457 , v8:5822 

Change-Id: I03f7f4da4e0d0e72337399206f1c49ff0f1f041a
Reviewed-on: https://chromium-review.googlesource.com/469846
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44443}
[modify] https://crrev.com/82fa48ad04c56b87bb095f2593e17c93e94b8119/src/wasm/wasm-interpreter.cc
[modify] https://crrev.com/82fa48ad04c56b87bb095f2593e17c93e94b8119/src/wasm/wasm-interpreter.h
Project Member

Comment 5 by bugdroid1@chromium.org, Apr 6 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/95c5c76fe32a2145a8dd200adaa33901c8d65495

commit 95c5c76fe32a2145a8dd200adaa33901c8d65495
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Thu Apr 06 14:20:18 2017

[wasm] [fuzzer] Bound the number of steps to execute

To avoid running infinitely or hitting the stack size limit, bound the
number of steps to execute in the interpreter to 16k.

R=ahaas@chromium.org
BUG= chromium:708457 

Change-Id: Ib101bbbc06627641dae2fd1cd1a8d950aa504eaf
Reviewed-on: https://chromium-review.googlesource.com/469609
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44446}
[modify] https://crrev.com/95c5c76fe32a2145a8dd200adaa33901c8d65495/test/common/wasm/wasm-module-runner.cc

Comment 6 by clemensh@chromium.org, Apr 6 2017

Status: Fixed (was: Started)
Project Member

Comment 7 by ClusterFuzz, Apr 7 2017 

ClusterFuzz has detected this issue as fixed in range 462639:462698.

Detailed report: https://clusterfuzz.com/testcase?key=6410798491762688

Fuzzer: libfuzzer_v8_wasm_call_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Fatal error
Crash Address: 
Crash State:
  
  v8::internal::wasm::ThreadImpl::DoStackCheck
  v8::internal::wasm::ThreadImpl::DoCall
  v8::internal::wasm::ThreadImpl::Execute
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=461097:461114
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=462639:462698

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv945BZCVrLfcQCIsMts9vvvHWv-zNFys7mImO9hUaSI5Dxaf3JqQtHJQ0gby3ju6e8qyEN4uNun5JnTNv-cMrHKs8QTsaPFzhMZvHyDAqJPuu19soOISfQx0-gEbqWh7AhW8dw1rbZMcLIRmSb5VCsMm04V-e781Je0bafbK_1ESrUY859Itj_QZFhu3q3NZSlV7uMnt-emNzY7igaY9EfD3duVFJEy6mBOVsLhqAuAKC-vT5ajF7tu5caSc_gPTpuEXcqqLAPoOHjc_XkLnLk3eg9LxYia454HiK8mkGxqgtsS8tybdfsRGeRcUX9FXWPLi0X-snlCm6nKDE-YfQglZ26EPjBEikAKqo_dQA7Pe20ILduQstfrGnpw883yLl2LSdIm51Fhjk-ZHYd9K75-fiPgTDA?testcase_id=6410798491762688


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment