Issue metadata
Sign in to add a comment
|
Infinite loop in asm.js parser
Reported by
niklas.h...@gmail.com,
Oct 4 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3231.0 Safari/537.36 Steps to reproduce the problem: I have a website that uses some emscripten-compiled C++ (the "crunch" texture decompressor, https://github.com/BinomialLLC/crunch). It worked perfectly in Chromium 60.0.3112.113; the update to 61.0.3163.79 broke my website. I don't have a publicly available repro for this yet. What is the expected behavior? v8 can parse my .js file What went wrong? v8 loops forever parsing my JS file. With the help of `Torne` on the #chromium IRC channel, I quickly binary-build bisected the problem to this range: https://chromium.googlesource.com/chromium/src/+log/0fbc79aab000df51cb43513c03d9c34700edffc8..8e696fb6fd6c9bc135d86cd99daeda38eab54c60 identifying this commit as the problem: 250c1aa Adding field trial for asm.js -> Wasm by Brad Nelson · 3 months ago I can confirm that setting chrome://flags/#enable-asm-webassembly to "Disabled" fixes the problem on Chrome 61. Using gdb, I found that the function `AsmJsParser::GatherCases()` is never exits: https://github.com/v8/v8/blob/6.1.534/src/asmjs/asm-parser.cc#L2428-L2456 I suspect that the problem is that this loop `break`s only on else if (Peek(AsmJsScanner::kEndOfInput)) and doesn't consider that the value can also be `kParseError` as returned by the scanner in https://github.com/v8/v8/blob/6.1.534/src/asmjs/asm-scanner.cc#L70 I have a patch that seems to fix this and will post it in a moment. Did this work before? Yes 60.0.3112.113 Chrome version: 61.0.3163.79 Channel: stable OS Version: Ubuntu 16.04 Flash Version: I first posted some info about this on https://bugs.chromium.org/p/chromium/issues/detail?id=769607#c12 until I found that this is a separate bug. Please somebody give a peer bonus to torne@ for their excellent support on #chromium, helping me to get binary bisection and debug builds working.
,
Oct 4 2017
Also I lost a couple hours because apparently the instructions on https://github.com/v8/v8/wiki/Contributing/873218e9db96d040197fd07374b5d8bcbd54db34#submit-your-code are outdated. The linked cpplint.py doesn't seem to work; only after I deleted it (and probably used some cpplint.py bundled with v8 as a result of that) could I get past a "Failed to process" /path/to/v8/src/asmjs/asm-parser.cc" error (which had no further output attached).
,
Oct 4 2017
Oh yeah and this line in presubmit.py is wrong: https://github.com/v8/v8/blob/6.1.534/tools/presubmit.py#L82 See the big warning box on https://docs.python.org/2/library/subprocess.html#subprocess.Popen.wait
,
Oct 4 2017
,
Oct 4 2017
,
Oct 4 2017
+machenbach for comment #3
,
Oct 4 2017
Comment 3 tracked as https://crbug.com/v8/6883
,
Oct 4 2017
,
Oct 4 2017
,
Oct 4 2017
Does this asm.js parser have unit tests btw? I couldn't find any (I looked in https://github.com/v8/v8/tree/6.1.534/test/unittests/asmjs, but that seems to have only a few tests for the scanner, not for the parser).
,
Oct 4 2017
As we don't have a publicly available repro for this, and as per the comment #0 root cause is already identified as https://chromium.googlesource.com/chromium/src/+/250c1aa, hence removing the Needs-Bisect label.
,
Oct 4 2017
,
Oct 4 2017
Thanks for the reports. The fix references in comment #1 looks good to me. Re #10: We don't have unit tests for the asm.js parser in the narrower sense, but a whole slew of integration tests in the "mjsunit" test suite (I know, the naming a little bit off here). It's fine to just add a regression test to the "mjsunit" suite. See my comment here: https://chromium-review.googlesource.com/c/v8/v8/+/699994#message-fd90dcf25fa301181e97b26ca8cb176f2f864463 Thanks for the contribution!
,
Oct 4 2017
Issue 770345 has been merged into this issue.
,
Oct 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/4f8a70adca01c2769c09fc4516a89e542b7306d0 commit 4f8a70adca01c2769c09fc4516a89e542b7306d0 Author: Niklas Hambüchen <mail@nh2.me> Date: Wed Oct 04 16:13:39 2017 [asm.js] Fix infinite loop in parser on parse error. The code in `AsmJsScanner::Next()` checks for both end of input and parse error: if (token_ == kEndOfInput || token_ == kParseError) { return; } but until now the code in the parsing loop only checked for `kEndOfInput`, resulting in an infinite loop on `kParseError`. R=bradnelson@chromium.org, mstarzinger@chromium.org Bug: chromium:771428 Change-Id: I9170f090503590b3b9b949a0d00ab4daef85bf66 Reviewed-on: https://chromium-review.googlesource.com/699994 Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#48290} [modify] https://crrev.com/4f8a70adca01c2769c09fc4516a89e542b7306d0/AUTHORS [modify] https://crrev.com/4f8a70adca01c2769c09fc4516a89e542b7306d0/src/asmjs/asm-parser.cc [add] https://crrev.com/4f8a70adca01c2769c09fc4516a89e542b7306d0/test/mjsunit/regress/regress-crbug-771428.js
,
Oct 4 2017
This is fixed. Affects both M61 and M62. Michael, please advise on whether we should merge this back (after sufficient baking time in Canary) or not.
,
Oct 4 2017
This bug requires manual review: We are only 12 days from stable. Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 5 2017
Have you verified this in Canary? How safe is this merge, and how well tested is it? Is it truly critical for M62, or can it wait until M63?
,
Oct 6 2017
M61: I don't think there is going to be another release but in case there is, we definitely should piggy-bag onto it. The fix is also very small and straight-forward. M62: This definitely needs to be in M62.
,
Oct 9 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/39834d1e2ee93d752d3808376b7012b8cb5e8878 commit 39834d1e2ee93d752d3808376b7012b8cb5e8878 Author: Michael Starzinger <mstarzinger@google.com> Date: Tue Oct 10 08:23:03 2017 Merged: [asm.js] Fix infinite loop in parser on parse error. Revision: 4f8a70adca01c2769c09fc4516a89e542b7306d0 R=hablich@chromium.org BUG= chromium:771428 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true Change-Id: I6694c78c96db00a7784c641337f404bd1307ad65 Reviewed-on: https://chromium-review.googlesource.com/708267 Reviewed-by: Michael Hablich <hablich@chromium.org> Cr-Commit-Position: refs/branch-heads/6.2@{#62} Cr-Branched-From: efa2ac4129d30c7c72e84c16af3d20b44829f990-refs/heads/6.2.414@{#1} Cr-Branched-From: a861ebb762a60bf5cc2a274faee3620abfb06311-refs/heads/master@{#47693} [modify] https://crrev.com/39834d1e2ee93d752d3808376b7012b8cb5e8878/AUTHORS [modify] https://crrev.com/39834d1e2ee93d752d3808376b7012b8cb5e8878/src/asmjs/asm-parser.cc [add] https://crrev.com/39834d1e2ee93d752d3808376b7012b8cb5e8878/test/mjsunit/regress/regress-crbug-771428.js
,
Oct 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/1b579cf3fdde14815e2ee17365f89dc977099388 commit 1b579cf3fdde14815e2ee17365f89dc977099388 Author: Michael Starzinger <mstarzinger@google.com> Date: Tue Oct 10 08:25:28 2017 Merged: [asm.js] Fix infinite loop in parser on parse error. Revision: 4f8a70adca01c2769c09fc4516a89e542b7306d0 R=hablich@chromium.org BUG= chromium:771428 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true Change-Id: Iceeabf187fea1c439d49f8d20793e7363fb998b0 Reviewed-on: https://chromium-review.googlesource.com/708268 Reviewed-by: Michael Hablich <hablich@chromium.org> Cr-Commit-Position: refs/branch-heads/6.1@{#88} Cr-Branched-From: 1bf2e10ddb194d4c2871a87a4732613419de892d-refs/heads/6.1.534@{#1} Cr-Branched-From: e825c4318eb2065ffdf9044aa6a5278635c36427-refs/heads/master@{#46746} [modify] https://crrev.com/1b579cf3fdde14815e2ee17365f89dc977099388/AUTHORS [modify] https://crrev.com/1b579cf3fdde14815e2ee17365f89dc977099388/src/asmjs/asm-parser.cc [add] https://crrev.com/1b579cf3fdde14815e2ee17365f89dc977099388/test/mjsunit/regress/regress-crbug-771428.js
,
Oct 10 2017
Per comment #21 & #22, this is already merged to M61 and M62.
,
Oct 11 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by niklas.h...@gmail.com
, Oct 4 2017