New issue
Advanced search Search tips

Issue 716522 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: May 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug

Blocking:
issue 728979



Sign in to add a comment

Stack-overflow in v8::internal::compiler::CodeGenerator::AssembleInstruction

Project Member Reported by ClusterFuzz, Apr 28 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5309557770551296

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Stack-overflow
Crash Address: 0x006c2000
Crash State:
  v8::internal::compiler::CodeGenerator::AssembleInstruction
  v8::internal::compiler::CodeGenerator::GenerateCode
  v8::internal::compiler::GenerateCodePhase::Run
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=455700:456019

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5309557770551296


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by danno@chromium.org, May 2 2017

Owner: ishell@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by ishell@chromium.org, May 30 2017

Cc: ishell@chromium.org
 Issue 724617  has been merged into this issue.

Comment 3 by ishell@chromium.org, May 30 2017

Cc: -ishell@chromium.org jkummerow@chromium.org
The issue is that CodeGenerator::AssembleInstruction() function suddenly requires 30Kb of stack while the stack overflow checks in Runtime::kCompile*() functions only ensure that we have at least 1Kb of available stack.
Project Member

Comment 4 by bugdroid1@chromium.org, May 31 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/69aa868bb717af38c05449621365cb5d484692c6

commit 69aa868bb717af38c05449621365cb5d484692c6
Author: Igor Sheludko <ishell@chromium.org>
Date: Wed May 31 09:26:03 2017

[runtime] Reserve more stack space for compilation.

... to properly handle stack overflows near the hard stack limit.

Bug:  chromium:716522 
Change-Id: I6acdb29f039b9835bdf45b087d6561a05ed837bb
Reviewed-on: https://chromium-review.googlesource.com/517799
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45619}
[modify] https://crrev.com/69aa868bb717af38c05449621365cb5d484692c6/src/bootstrapper.cc
[modify] https://crrev.com/69aa868bb717af38c05449621365cb5d484692c6/src/globals.h
[modify] https://crrev.com/69aa868bb717af38c05449621365cb5d484692c6/src/runtime/runtime-compiler.cc

Comment 5 by ishell@chromium.org, May 31 2017

Status: Fixed (was: Assigned)
Project Member

Comment 6 by ClusterFuzz, Jun 1 2017

ClusterFuzz has detected this issue as fixed in range 475879:475894.

Detailed report: https://clusterfuzz.com/testcase?key=5309557770551296

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Stack-overflow
Crash Address: 0x00de2000
Crash State:
  v8::internal::compiler::CodeGenerator::AssembleInstruction
  v8::internal::compiler::CodeGenerator::AssembleCode
  v8::internal::compiler::PipelineImpl::AssembleCode
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=455700:456019
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=475879:475894

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5309557770551296


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Blocking: 728979

Sign in to add a comment