New issue
Advanced search Search tips

Issue 720586 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug


Participants' hotlists:
Hotlist-AsmJsParser


Sign in to add a comment

V8 correctness failure in configs: x64,ignition:x64,ignition_asm

Project Member Reported by ClusterFuzz, May 10 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4509604565483520

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_asm
  sources: ed0
  
Sanitizer: address (ASAN)

Regressed: V8: 44941:44942

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4509604565483520


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)
This is due to the order of exports being off. The following is the dump of the asm.js export object with and without translation to WASM.

=== Expected order (without --validate-asm):
DebugPrint: 0xb7d27a0edf1: [JS_OBJECT_TYPE]
 - map = 0x3275e6890699 [FastProperties]
 - prototype = 0x37f1ab584471
 - elements = 0x10d25fa02241 <FixedArray[0]> [FAST_HOLEY_ELEMENTS]
 - properties = 0x10d25fa02241 <FixedArray[0]> {
    #__f_39: 0xb7d27a0e979 <JSFunction __f_39 (sfi = 0x37f1ab5b1281)> (data field 0)
    #__f_38: 0xb7d27a0e9c1 <JSFunction __f_38 (sfi = 0x37f1ab5b1359)> (data field 1)
    #__f_40: 0xb7d27a0ea09 <JSFunction __f_40 (sfi = 0x37f1ab5b1431)> (data field 2)
    #__f_30: 0xb7d27a0ea51 <JSFunction __f_30 (sfi = 0x37f1ab5b1509)> (data field 3)
    #__f_17: 0xb7d27a0eae1 <JSFunction __f_17 (sfi = 0x37f1ab5b16b9)> (data field 4)
    #__f_3: 0xb7d27a0ea99 <JSFunction __f_3 (sfi = 0x37f1ab5b15e1)> (data field 5)
 }

=== Observed order (with --validate-asm):
DebugPrint: 0x320e04c8ed29: [JS_OBJECT_TYPE]
 - map = 0x2917b8107f9 [FastProperties]
 - prototype = 0x32b46304471
 - elements = 0x3464f6302241 <FixedArray[0]> [FAST_HOLEY_ELEMENTS]
 - properties = 0x3464f6302241 <FixedArray[0]> {
    #__f_39: 0x32b46331aa9 <JSFunction __f_39 (sfi = 0x32b46331929)> (const data descriptor)
    #__f_38: 0x32b46331ca1 <JSFunction __f_38 (sfi = 0x32b46331b21)> (const data descriptor)
    #__f_40: 0x32b46331eb1 <JSFunction __f_40 (sfi = 0x32b46331d31)> (const data descriptor)
    #__f_30: 0x32b463320c1 <JSFunction __f_30 (sfi = 0x32b46331f41)> (const data descriptor)
    #__f_3: 0x32b463322d1 <JSFunction __f_3 (sfi = 0x32b46332151)> (const data descriptor)
    #__f_17: 0x32b463324e1 <JSFunction __f_17 (sfi = 0x32b46332361)> (const data descriptor)
 }

Project Member

Comment 2 by bugdroid1@chromium.org, May 12 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/fe9c60c17561312b7c01d19ff2fdb7f20a56031a

commit fe9c60c17561312b7c01d19ff2fdb7f20a56031a
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Fri May 12 12:11:06 2017

[asm.js] Maintain global order of exported functions.

This makes sure that the order of exports as they appear in asm.js
modules is maintained globally (not just per function) while being
translated to a WASM module.

R=clemensh@chromium.org
TEST=mjsunit/asm/asm-validation
BUG= chromium:720586 

Change-Id: I8b26d717ae2f88467d41670bced901f196c7b3fc
Reviewed-on: https://chromium-review.googlesource.com/503708
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45277}
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/src/asmjs/asm-parser.cc
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/src/wasm/wasm-module-builder.cc
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/src/wasm/wasm-module-builder.h
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/test/cctest/wasm/test-run-wasm-module.cc
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/test/fuzzer/wasm-call.cc
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/test/fuzzer/wasm-code.cc
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/test/fuzzer/wasm-compile.cc
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/test/mjsunit/asm/asm-validation.js

Status: Fixed (was: Assigned)
Project Member

Comment 4 by ClusterFuzz, May 13 2017

ClusterFuzz has detected this issue as fixed in range 45276:45277.

Detailed report: https://clusterfuzz.com/testcase?key=4509604565483520

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_asm
  sources: ed0
  
Sanitizer: address (ASAN)

Regressed: V8: 44941:44942
Fixed: V8: 45276:45277

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4509604565483520


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment