Ill in v8::internal::__RT_impl_Runtime_AbortJS |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4792083314638848 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: Ill Crash Address: 0xf28f2bac Crash State: v8::internal::__RT_impl_Runtime_AbortJS v8::internal::Runtime_AbortJS v8::internal::Simulator::SoftwareInterrupt Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=47567:47568 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4792083314638848 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 25 2017
,
Aug 25 2017
Detailed report: https://clusterfuzz.com/testcase?key=6576255947505664 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: Ill Crash Address: 0x7fadad3aaac8 Crash State: v8::internal::__RT_impl_Runtime_AbortJS v8::internal::Runtime_AbortJS v8::internal::Simulator::DoRuntimeCall Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=47567:47568 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6576255947505664 See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 25 2017
Thanks, looking. It's a bit unfortunate that assert failures now show up in AbortJS :(
,
Aug 25 2017
This was introduced back in https://codereview.chromium.org/2803603005. As a lucky break, the failing CSA_ASSERT was also added then. What happens is that we convert `ToUint32(limit)`, but then don't store the new value in `var_limit` if the Uint32 conversion ended up transition the regexp to slow mode. Working on a fix.
,
Aug 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/c7a7bf6af0c562b4f9116b1adbef51f9e7f63137 commit c7a7bf6af0c562b4f9116b1adbef51f9e7f63137 Author: Jakob Gruber <jgruber@chromium.org> Date: Fri Aug 25 13:59:43 2017 [regexp] Pass correct limit to Runtime::kRegExpSplit The Uint32(limit) conversion can end up transitioning the regexp instance to slow mode. In this case we need to bail out to runtime while ensuring that ToUint32 is not observably called a second time. We do this by passing the already-converted value to runtime. This particular path was broken and we ended up passing the original maybe_limit value to runtime instead. TBR=yangguo@chromium.org Bug: chromium:758763 Change-Id: If7f23b452d2e134ad9be3d4ef1d78d1c946fcef0 Reviewed-on: https://chromium-review.googlesource.com/635588 Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47609} [modify] https://crrev.com/c7a7bf6af0c562b4f9116b1adbef51f9e7f63137/src/builtins/builtins-regexp-gen.cc [add] https://crrev.com/c7a7bf6af0c562b4f9116b1adbef51f9e7f63137/test/mjsunit/regress/regress-758763.js
,
Aug 25 2017
I don't think a backmerge will be necessary here. The only implication of this bug was that ToUint32() could be called twice observably, which is a spec violation but should not impact real code.
,
Aug 26 2017
ClusterFuzz has detected this issue as fixed in range 47608:47609. Detailed report: https://clusterfuzz.com/testcase?key=6576255947505664 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: Ill Crash Address: 0x7fadad3aaac8 Crash State: v8::internal::__RT_impl_Runtime_AbortJS v8::internal::Runtime_AbortJS v8::internal::Simulator::DoRuntimeCall Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=47567:47568 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=47608:47609 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6576255947505664 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 26 2017
ClusterFuzz has detected this issue as fixed in range 47608:47609. Detailed report: https://clusterfuzz.com/testcase?key=4792083314638848 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: Ill Crash Address: 0xf28f2bac Crash State: v8::internal::__RT_impl_Runtime_AbortJS v8::internal::Runtime_AbortJS v8::internal::Simulator::SoftwareInterrupt Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=47567:47568 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=47608:47609 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4792083314638848 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 26 2017
ClusterFuzz testcase 4792083314638848 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 28 2017
Issue 759374 has been merged into this issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mstarzinger@chromium.org
, Aug 25 2017Status: Assigned (was: Untriaged)
Regression range points to the new {DebugAbort} instruction, but that is just flushing out the issue. Hits the following CSA-assert. abort: CSA_ASSERT failed: IsNumber(var_limit.value()) [../../src/builtins/builtins-regexp-gen.cc:2604]