Timeout in v8_wasm_async_fuzzer |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6263613064216576 Fuzzer: libFuzzer_v8_wasm_async_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Timeout (exceeds 25 secs) Crash Address: Crash State: v8_wasm_async_fuzzer Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6263613064216576 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. If the fix resolved the issue, please close the bug by marking as Fixed.
,
Sep 4 2017
Suspected CL is not changing any semantics. Assigning to ahaas@, the owner of all (wasm) fuzzers :)
,
Sep 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/7b53a0e010d0e53fbf59620423d8ae644335ae11 commit 7b53a0e010d0e53fbf59620423d8ae644335ae11 Author: Andreas Haas <ahaas@chromium.org> Date: Thu Sep 07 12:35:45 2017 [wasm] Avoid executing infinite loops in the wasm fuzzers The wasm-async fuzzer uses the bytes provided by the fuzzer engine directly as wasm module bytes, compiles them with async compilation, and then tries to execute the "main" function of the module. This "main" can have an infinite loop which causes a timeout in the fuzzer. With this CL the "main" function is first executed with the interpreter. If the execution in the interpreter finishes within 16k steps, which means that there is no infinite loop, also the compiled code is executed. I added the raw fuzzer input as a test case because in this case I really want to test the fuzzer and not V8. R=clemensh@chromium.org Bug: chromium:761784 Change-Id: Id1fe5da0da8670ec821ab9979fdb9454dbde1162 Reviewed-on: https://chromium-review.googlesource.com/651046 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#47874} [modify] https://crrev.com/7b53a0e010d0e53fbf59620423d8ae644335ae11/src/wasm/wasm-objects.h [modify] https://crrev.com/7b53a0e010d0e53fbf59620423d8ae644335ae11/test/common/wasm/wasm-module-runner.cc [modify] https://crrev.com/7b53a0e010d0e53fbf59620423d8ae644335ae11/test/common/wasm/wasm-module-runner.h [modify] https://crrev.com/7b53a0e010d0e53fbf59620423d8ae644335ae11/test/fuzzer/fuzzer.gyp [modify] https://crrev.com/7b53a0e010d0e53fbf59620423d8ae644335ae11/test/fuzzer/wasm-async.cc [modify] https://crrev.com/7b53a0e010d0e53fbf59620423d8ae644335ae11/test/fuzzer/wasm-fuzzer-common.cc [modify] https://crrev.com/7b53a0e010d0e53fbf59620423d8ae644335ae11/test/fuzzer/wasm-fuzzer-common.h [modify] https://crrev.com/7b53a0e010d0e53fbf59620423d8ae644335ae11/test/fuzzer/wasm.cc [add] https://crrev.com/7b53a0e010d0e53fbf59620423d8ae644335ae11/test/fuzzer/wasm_async/regression-761784.wasm
,
Sep 11 2017
,
Sep 11 2017
|
|||
►
Sign in to add a comment |
|||
Comment 1 by msrchandra@chromium.org
, Sep 4 2017Components: Blink>JavaScript
Labels: Test-Predator-Correct-CLs
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)