New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 715420 link

Starred by 2 users
Status: Fixed
Owner:
mstarzinger@chromium.org
Closed: Apr 2017
Cc:
bradnelson@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug


Participants' hotlists:
Hotlist-AsmJsParser


Sign in to add a comment

V8 correctness failure in configs: x64,ignition:x64,ignition_asm

Project Member Reported by ClusterFuzz, Apr 26 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5703497657090048

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_asm
  sources: ac1
  
Sanitizer: address (ASAN)

Regressed: V8: 44860:44861

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5703497657090048


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by machenb...@chromium.org, Apr 26 2017

Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)
Bisects to:
https://chromium.googlesource.com/v8/v8/+/d049239ca64eb2f278adc48740d12cb687c77575

Comment 2 by mstarzinger@chromium.org, Apr 26 2017

Cc: bradnelson@chromium.org
The problem here is that the asm.js -> WASM translation doesn't preserve insertion order of exported functions. Can we reproduced with the following snippet:


function Module() {
  "use asm";
  function f() {}
  return { a:f, b:f, c:f, d:f, e:f };
}
var m = Module();
print(Object.getOwnPropertyNames(m));

=== Expected output according to JS semantics: ===
$ ./out/x64.debug/d8 test/mjsunit/foo.js 
a,b,c,d,e

=== Diverging output with asm.js to WASM translation: ===
$ ./out/x64.debug/d8 test/mjsunit/foo.js --validate-asm --fast-validate-asm 
e,d,c,b,a
Project Member

Comment 3 by bugdroid1@chromium.org, Apr 26 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c5bfc27df247225008686428d8cb1d9fa85ede59

commit c5bfc27df247225008686428d8cb1d9fa85ede59
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Wed Apr 26 14:15:54 2017

[asm.js] Maintain insertion order of exports.

This makes sure that the observable property order of the module export
maintains insertion order. Now that properties are configurable, we no
longer need to reverse the export processing.

R=clemensh@chromium.org
TEST=mjsunit/asm/asm-validation
BUG= chromium:715420 

Change-Id: Ib2024254c07bdad7fee1cf2fa0bd3e847721f5b5
Reviewed-on: https://chromium-review.googlesource.com/488022
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44891}
[modify] https://crrev.com/c5bfc27df247225008686428d8cb1d9fa85ede59/src/wasm/wasm-module.cc
[modify] https://crrev.com/c5bfc27df247225008686428d8cb1d9fa85ede59/test/mjsunit/asm/asm-validation.js

Comment 4 by mstarzinger@chromium.org, Apr 26 2017

Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Apr 27 2017 

ClusterFuzz has detected this issue as fixed in range 44890:44891.

Detailed report: https://clusterfuzz.com/testcase?key=5703497657090048

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_asm
  sources: ac1
  
Sanitizer: address (ASAN)

Regressed: V8: 44860:44861
Fixed: V8: 44890:44891

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5703497657090048


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment