New issue
Advanced search Search tips

Issue 735792 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Aug 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 3
Type: Bug



Sign in to add a comment

Ill in v8::internal::wasm::ThreadImpl::CallCodeObject

Project Member Reported by ClusterFuzz, Jun 22 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6501230401814528

Fuzzer: inferno_js_fuzzer
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Fatal error
Crash Address: 
Crash State:
  
  v8::platform::PrintStackTrace
  v8::internal::wasm::ThreadImpl::CallCodeObject
  v8::internal::wasm::ThreadImpl::Run
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=459063:459084

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6501230401814528


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: ahaas@chromium.org
Labels: -Pri-1 Pri-2
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)
Summary: Fatal error in v8::internal::wasm::ThreadImpl::CallCodeObject (was: Fatal error in )
Wasm interpreter crash. Will take a look.

Lowering priority though, as this requires the --wasm-interpret-all command line flag.
This hits UNIMPLEMENTED, since the interpreter would need to call a wasm function of another instance.
Labels: -Pri-2 Pri-3
Project Member

Comment 4 by ClusterFuzz, Jul 5 2017

Labels: Stability-Memory-AddressSanitizer
Summary: Ill in v8::internal::wasm::ThreadImpl::CallCodeObject (was: Fatal error in v8::internal::wasm::ThreadImpl::CallCodeObject)
Detailed report: https://clusterfuzz.com/testcase?key=5147088215343104

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: Ill
Crash Address: 0x7f337a7e0338
Crash State:
  v8::internal::wasm::ThreadImpl::CallCodeObject
  CallIndirectFunction
  v8::internal::wasm::ThreadImpl::Execute
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5147088215343104


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 5 by ClusterFuzz, Jul 5 2017

Labels: OS-Linux
Components: -Blink>JavaScript Blink>JavaScript>WebAssembly
Project Member

Comment 7 by bugdroid1@chromium.org, Aug 7 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c39c6eba009599aef74920a3c0469d2ef18feec1

commit c39c6eba009599aef74920a3c0469d2ef18feec1
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Mon Aug 07 12:31:18 2017

[wasm] [debug] Implement calling imported wasm functions

The interpreter was not able to call imported wasm functions (hitting
UNIMPLEMENTED). This CL fixes this by creating a "CWasmEntry", which is
signature-specific. It has JS linkage and receives the wasm code object
to call and a buffer containing all arguments (similar to the
interpreter entry). It loads all arguments from the buffer and calls the
given code object.
The c-wasm-entry code objects are cached per instance, such that we
only create them once per signature.

These wasm entry stubs will also allow us to call back to compiled code
from the interpreter, which we might want to do to reduce the slowdown
of executing wasm for debugging.

R=titzer@chromium.org

Bug:  chromium:735792 
Change-Id: I7fecec3a7bec62a9de40fff115b684759b12a28b
Reviewed-on: https://chromium-review.googlesource.com/600308
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47195}
[modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/compiler/wasm-compiler.cc
[modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/compiler/wasm-compiler.h
[modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/frames-inl.h
[modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/frames.cc
[modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/frames.h
[modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/log.cc
[modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/objects.h
[modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/wasm/wasm-debug.cc
[modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/wasm/wasm-interpreter.cc
[modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/wasm/wasm-objects.h
[modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/test/cctest/BUILD.gn
[modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/test/cctest/cctest.gyp
[add] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/test/cctest/wasm/test-c-wasm-entry.cc
[modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/test/cctest/wasm/wasm-run-utils.h
[modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/test/mjsunit/wasm/interpreter-mixed.js
[modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/tools/v8heapconst.py

Status: Fixed (was: Assigned)
Project Member

Comment 9 by ClusterFuzz, Aug 8 2017

ClusterFuzz has detected this issue as fixed in range 492361:492517.

Detailed report: https://clusterfuzz.com/testcase?key=6501230401814528

Fuzzer: inferno_js_fuzzer
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Fatal error
Crash Address: 
Crash State:
  
  v8::platform::PrintStackTrace
  v8::internal::wasm::ThreadImpl::CallCodeObject
  v8::internal::wasm::ThreadImpl::Run
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=459063:459084
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=492361:492517

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6501230401814528


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Aug 8 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6501230401814528 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment