Issue metadata
Sign in to add a comment
|
CHECK failure: interrupt_address == isolate->builtins()->InterruptCheck()->entry() in full-code |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4869287071449088 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: interrupt_address == isolate->builtins()->InterruptCheck()->entry() in full-code v8::internal::BackEdgeTable::GetBackEdgeState v8::internal::BackEdgeTable::Patch Sanitizer: address (ASAN) Regressed: V8: 45496:45497 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4869287071449088 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 25 2017
,
May 25 2017
,
May 26 2017
Detailed report: https://clusterfuzz.com/testcase?key=6007995107639296 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: interrupt_address == isolate->builtins()->InterruptCheck()->entry() in full-code v8::internal::BackEdgeTable::GetBackEdgeState v8::internal::BackEdgeTable::Verify Sanitizer: address (ASAN) Regressed: V8: 45496:45497 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6007995107639296 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 26 2017
,
May 29 2017
Reproduces on TOT, something back-edge-patching related:
out.gn/arm.debug/d8 --predictable --no-turbo --cache=code --no-lazy test.js
===== test.js =====
function f() {
var n = a.length;
for (var i = 0; i < n; i++) {
}
for (var i = 0; i < n; i++) {
}
}
var a = "xxxxxxxxxxxxxxxxxxxxxxxxx";
while (a.length < 100000) a = a + a;
f();
#0 v8::base::OS::Abort () at ../../src/base/platform/platform-posix.cc:261
#1 0xf58baf61 in V8_Fatal (file=0xf7bcc511 "../../src/full-codegen/arm/full-codegen-arm.cc", line=2842,
format=0xf7b0afe7 "Check failed: %s.") at ../../src/base/logging.cc:74
#2 0xf7963f1c in v8::internal::BackEdgeTable::GetBackEdgeState (isolate=0x565e2d10, unoptimized_code=0x4e4068c1,
pc=0x4e406ad8 "\344 \237", <incomplete sequence \345>) at ../../src/full-codegen/arm/full-codegen-arm.cc:2841
#3 0xf701577d in v8::internal::BackEdgeTable::Patch (isolate=0x565e2d10, unoptimized=0x4e4068c1)
at ../../src/full-codegen/full-codegen.cc:1499
#4 0xf7529127 in v8::internal::RuntimeProfiler::AttemptOnStackReplacement (this=0x56611ae8, frame=0xffffaf5c,
loop_nesting_levels=1) at ../../src/runtime-profiler.cc:187
#5 0xf752951b in v8::internal::RuntimeProfiler::MaybeOptimizeFullCodegen (this=0x56611ae8, function=0x22b9bbbd,
frame=0xffffaf5c, frame_count=1) at ../../src/runtime-profiler.cc:232
#6 0xf752a43a in v8::internal::RuntimeProfiler::MarkCandidatesForOptimization (this=0x56611ae8)
at ../../src/runtime-profiler.cc:453
#7 0xf6f98547 in v8::internal::StackGuard::HandleInterrupts (this=0x565e3ac8) at ../../src/execution.cc:497
#8 0xf75a7d5a in v8::internal::__RT_impl_Runtime_Interrupt (args=..., isolate=0x565e2d10)
at ../../src/runtime/runtime-internal.cc:324
#9 0xf75a7a5d in v8::internal::Runtime_Interrupt (args_length=0, args_object=0xf0368ef4, isolate=0x565e2d10)
at ../../src/runtime/runtime-internal.cc:321
#10 0xf785b595 in v8::internal::Simulator::SoftwareInterrupt (this=0x56608170, instr=0x566cd65c)
at ../../src/arm/simulator-arm.cc:1958
#11 0xf786235f in v8::internal::Simulator::DecodeType7 (this=0x56608170, instr=0x566cd65c)
at ../../src/arm/simulator-arm.cc:3183
#12 0xf7855c4d in v8::internal::Simulator::InstructionDecode (this=0x56608170, instr=0x566cd65c)
at ../../src/arm/simulator-arm.cc:5805
#13 0xf7870439 in v8::internal::Simulator::Execute (this=0x56608170) at ../../src/arm/simulator-arm.cc:5832
#14 0xf7870931 in v8::internal::Simulator::CallInternal (this=0x56608170,
entry=0x55406040 "\360O-\351\020\213", <incomplete sequence \355>) at ../../src/arm/simulator-arm.cc:5889
#15 0xf7871327 in v8::internal::Simulator::Call (this=0x56608170,
entry=0x55406040 "\360O-\351\020\213", <incomplete sequence \355>, argument_count=5)
at ../../src/arm/simulator-arm.cc:5940
#16 0xf6f96d7f in v8::internal::(anonymous namespace)::Invoke (isolate=0x565e2d10, is_construct=false, target=...,
receiver=..., argc=0, args=0x0, new_target=..., message_handling=v8::internal::Execution::MessageHandling::kReport)
at ../../src/execution.cc:145
#17 0xf6f96182 in v8::internal::(anonymous namespace)::CallInternal (isolate=0x565e2d10, callable=..., receiver=..., argc=0,
argv=0x0, message_handling=v8::internal::Execution::MessageHandling::kReport) at ../../src/execution.cc:181
#18 0xf6f95f8f in v8::internal::Execution::Call (isolate=0x565e2d10, callable=..., receiver=..., argc=0, argv=0x0)
at ../../src/execution.cc:191
#19 0xf65a12fd in v8::Script::Run (this=0x568229e4, context=...) at ../../src/api.cc:2039
#20 0x5658ffb0 in v8::Shell::ExecuteString (isolate=0x565e2d10, source=..., name=..., print_result=false,
report_exceptions=true) at ../../src/d8.cc:574
#21 0x5659e900 in v8::SourceGroup::Execute (this=0x565e100c, isolate=0x565e2d10) at ../../src/d8.cc:2290
#22 0x565a1673 in v8::Shell::RunMain (isolate=0x565e2d10, argc=6, argv=0xffffc454, last_run=true) at ../../src/d8.cc:2717
#23 0x565a22ef in v8::Shell::Main (argc=6, argv=0xffffc454) at ../../src/d8.cc:3167
#24 0x565a26b2 in main (argc=6, argv=0xffffc454) at ../../src/d8.cc:3199
,
May 30 2017
Some fullcodegen bug it seems. Michi can you take a look when you have time?
,
May 30 2017
Interesting. Will investigate ...
,
May 30 2017
The problem is that the constant pool entry for the interrupt check (which is later on being patched for OSR) is being shared. This means that patching one OSR entry point essentially patches all of them. This also explains the regression range which points to c15b3ffc773ef7b14655b59b1ce1437de903fdc0.
,
May 31 2017
Issue 725930 has been merged into this issue.
,
Jun 2 2017
ClusterFuzz has detected this issue as fixed in range 45660:45661. Detailed report: https://clusterfuzz.com/testcase?key=4869287071449088 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: interrupt_address == isolate->builtins()->InterruptCheck()->entry() in full-code v8::internal::BackEdgeTable::GetBackEdgeState v8::internal::BackEdgeTable::Patch Sanitizer: address (ASAN) Regressed: V8: 45496:45497 Fixed: V8: 45660:45661 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4869287071449088 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 2 2017
ClusterFuzz has detected this issue as fixed in range 45660:45661. Detailed report: https://clusterfuzz.com/testcase?key=6007995107639296 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: interrupt_address == isolate->builtins()->InterruptCheck()->entry() in full-code v8::internal::BackEdgeTable::GetBackEdgeState v8::internal::BackEdgeTable::Verify Sanitizer: address (ASAN) Regressed: V8: 45496:45497 Fixed: V8: 45660:45661 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6007995107639296 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 2 2017
Fixed. Kudos and thanks go to Georgia ... commit 6a99238b9004c8e14b7f86734ef071eac8198212 Author: georgia.kouveli <georgia.kouveli@arm.com> Date: Thu Jun 1 06:18:21 2017 -0700 [arm] Clean up disabling of sharing code target entries. This fixes an issue with ful-codegen where code target entries for the OSR check were being incorrectly shared. We now explicitly disable sharing of code target constant pool entries for full-codegen and for calls to builtins from WASM code, using a scope. BUG= chromium:725743 Review-Url: https://codereview.chromium.org/2922433002 Cr-Commit-Position: refs/heads/master@{#45661}
,
Jun 2 2017
,
Sep 8 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by och...@chromium.org
, May 24 2017