Ill in v8::internal::wasm::ThreadImpl::CallCodeObject |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6501230401814528 Fuzzer: inferno_js_fuzzer Job Type: windows_asan_d8 Platform Id: windows Crash Type: Fatal error Crash Address: Crash State: v8::platform::PrintStackTrace v8::internal::wasm::ThreadImpl::CallCodeObject v8::internal::wasm::ThreadImpl::Run Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=459063:459084 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6501230401814528 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 22 2017
This hits UNIMPLEMENTED, since the interpreter would need to call a wasm function of another instance.
,
Jun 22 2017
,
Jul 5 2017
Detailed report: https://clusterfuzz.com/testcase?key=5147088215343104 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: Ill Crash Address: 0x7f337a7e0338 Crash State: v8::internal::wasm::ThreadImpl::CallCodeObject CallIndirectFunction v8::internal::wasm::ThreadImpl::Execute Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5147088215343104 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 5 2017
,
Jul 10 2017
,
Aug 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/c39c6eba009599aef74920a3c0469d2ef18feec1 commit c39c6eba009599aef74920a3c0469d2ef18feec1 Author: Clemens Hammacher <clemensh@chromium.org> Date: Mon Aug 07 12:31:18 2017 [wasm] [debug] Implement calling imported wasm functions The interpreter was not able to call imported wasm functions (hitting UNIMPLEMENTED). This CL fixes this by creating a "CWasmEntry", which is signature-specific. It has JS linkage and receives the wasm code object to call and a buffer containing all arguments (similar to the interpreter entry). It loads all arguments from the buffer and calls the given code object. The c-wasm-entry code objects are cached per instance, such that we only create them once per signature. These wasm entry stubs will also allow us to call back to compiled code from the interpreter, which we might want to do to reduce the slowdown of executing wasm for debugging. R=titzer@chromium.org Bug: chromium:735792 Change-Id: I7fecec3a7bec62a9de40fff115b684759b12a28b Reviewed-on: https://chromium-review.googlesource.com/600308 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#47195} [modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/compiler/wasm-compiler.cc [modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/compiler/wasm-compiler.h [modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/frames-inl.h [modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/frames.cc [modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/frames.h [modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/log.cc [modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/objects.h [modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/wasm/wasm-debug.cc [modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/wasm/wasm-interpreter.cc [modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/src/wasm/wasm-objects.h [modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/test/cctest/BUILD.gn [modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/test/cctest/cctest.gyp [add] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/test/cctest/wasm/test-c-wasm-entry.cc [modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/test/cctest/wasm/wasm-run-utils.h [modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/test/mjsunit/wasm/interpreter-mixed.js [modify] https://crrev.com/c39c6eba009599aef74920a3c0469d2ef18feec1/tools/v8heapconst.py
,
Aug 7 2017
,
Aug 8 2017
ClusterFuzz has detected this issue as fixed in range 492361:492517. Detailed report: https://clusterfuzz.com/testcase?key=6501230401814528 Fuzzer: inferno_js_fuzzer Job Type: windows_asan_d8 Platform Id: windows Crash Type: Fatal error Crash Address: Crash State: v8::platform::PrintStackTrace v8::internal::wasm::ThreadImpl::CallCodeObject v8::internal::wasm::ThreadImpl::Run Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=459063:459084 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=492361:492517 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6501230401814528 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 8 2017
ClusterFuzz testcase 6501230401814528 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by clemensh@chromium.org
, Jun 22 2017Labels: -Pri-1 Pri-2
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)
Summary: Fatal error in v8::internal::wasm::ThreadImpl::CallCodeObject (was: Fatal error in )