Ill in v8::internal::__RT_impl_Runtime_AbortJS |
|||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5628542116429824 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: Ill Crash Address: 0x7f60393162b8 Crash State: v8::internal::__RT_impl_Runtime_AbortJS v8::internal::Runtime_AbortJS Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=33377:33378 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5628542116429824 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 16 2017
Assigning to Matthias, since the reproducer testcase seems to be based off assertPromiseResult, which he recently refactored.
,
Oct 16 2017
Mathias, (one t)
,
Oct 16 2017
M63 is scheduled to be promoted to Beta next week. mths@, please have the fix ready & merged in to M63 branch this week.
,
Oct 16 2017
M63 beta promotion is coming VERY soon. Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP. Thank you.
,
Oct 17 2017
,
Oct 17 2017
Detailed report: https://clusterfuzz.com/testcase?key=5793388598394880 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: args[0]->IsString() in runtime-test.cc v8::internal::__RT_impl_Runtime_AbortJS v8::internal::Runtime_AbortJS Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=37703:37704 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5793388598394880 See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 17 2017
I think this should be easy to fix. Clusterfuzz is feeding non-string inputs into the AbortJS function.
,
Oct 17 2017
Removing blockers since this is test-only runtime functions.
,
Oct 17 2017
Detailed report: https://clusterfuzz.com/testcase?key=6240393225306112 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: args[0]->IsString() in runtime-test.cc Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=43047:43048 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6240393225306112 See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 17 2017
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 17 2017
Hmm, https://chromium.googlesource.com/v8/v8/+/361bb1a0479bdb47fb68c51a6ff88d671f255b76 only changed test JS code and actually got rid of `%AbortJS()` in `assertPromise*`. Are we sure this is the cause of the crash?
,
Oct 17 2017
Should we remove the M63 label, since this is test only code?
,
Oct 17 2017
I think so, yeah. Also, since %AbortJS() is *supposed* to end the process, I don’t think this is a bug at all. The only “bug” is ClusterFuzz using `%AbortJS` in its generated test cases…
,
Oct 17 2017
I asked Michi. He says that calling %AbortJS is a WontFix.
,
Oct 26 2017
ClusterFuzz testcase 5628542116429824 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.
,
Oct 26 2017
,
Nov 7 2017
,
Jul 31
This crash occurs very frequently on windows platform and is likely preventing the fuzzer ochang_js_fuzzer from making much progress. Fixing this will allow more bugs to be found. Marking this bug as a blocker for next Beta release. If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.
,
Jul 31
The problem here is that the fuzzer generates the line "eval(%AbortJS(message));", which initiates a crash which in incorrectly classified by ClusterFuzz as a bug. The fuzzer found this line in mjsunit.js and started to use it a lot. I cannot fix this bug because the crash is actually intentional. However, I removed the line "eval(%AbortJS(message));" now from mjsunit.js (https://crrev.com/c/1156598) and hope that the fuzzer will not easily generate it again. I moved the code to a different file where no eval is required anymore. I hope that with this change the fuzzer does not generate "eval(%AbortJS(message));" anymore.
,
Jul 31
In general our fuzzers shouldn't be calling %AbortJS directly, but within eval I'm not sure what we'd do to detect and remove the calls. Thanks for the fix, if this comes up again we can try to work out a better solution. +ochang as an FYI
,
Aug 1
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/8c3c1b6c0f3e9b31ef586cff5fcfb0693d209891 commit 8c3c1b6c0f3e9b31ef586cff5fcfb0693d209891 Author: Andreas Haas <ahaas@chromium.org> Date: Wed Aug 01 08:46:24 2018 [mjsunit] Move the implementation of testAsync into a separate file The original implementation of 'testAsync' in mjsunit.js required to put the call to '%AbortJS' into an 'eval' statement. The reason is that this call requires the flag --allow-natives-syntax to be set, but the flag is not set in all mjsunit tests. With the use of 'eval' compilation errors can be avoided. The problem with this approach was that the fuzzer started to produce test cases which include the line 'eval("%AbortJS(message)");', and this line crashes intentionally. Different to the line '%Abort(message)', however, the 'eval' statement cannot be filtered so easily in the fuzzer. Therefore I pulled the implementation of 'testAsync' into a separate file to avoid the 'eval'. Additional changes: I use '===' now instead of 'deepEquals' in AsyncAssertion.equals because 'deepEquals' is not available outside mjsunit.js. Using '===' seems more appropriate anyways because for all tests but one it is sufficient, and it is more precise than deepEquals. R=gsathya@chromium.org Bug: chromium:774841 Change-Id: I47270aa63ff5a1d6aa76a771f9276eaaf579c5ac Reviewed-on: https://chromium-review.googlesource.com/1156598 Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#54833} [modify] https://crrev.com/8c3c1b6c0f3e9b31ef586cff5fcfb0693d209891/test/mjsunit/es6/promise-all-overflow-1.js [modify] https://crrev.com/8c3c1b6c0f3e9b31ef586cff5fcfb0693d209891/test/mjsunit/es6/promise-all-overflow-2.js [modify] https://crrev.com/8c3c1b6c0f3e9b31ef586cff5fcfb0693d209891/test/mjsunit/es6/promise-all.js [modify] https://crrev.com/8c3c1b6c0f3e9b31ef586cff5fcfb0693d209891/test/mjsunit/harmony/async-generators-resume-return.js [modify] https://crrev.com/8c3c1b6c0f3e9b31ef586cff5fcfb0693d209891/test/mjsunit/harmony/async-generators-return.js [modify] https://crrev.com/8c3c1b6c0f3e9b31ef586cff5fcfb0693d209891/test/mjsunit/harmony/async-generators-yield.js [modify] https://crrev.com/8c3c1b6c0f3e9b31ef586cff5fcfb0693d209891/test/mjsunit/harmony/private-fields-special-object.js [modify] https://crrev.com/8c3c1b6c0f3e9b31ef586cff5fcfb0693d209891/test/mjsunit/harmony/promise-prototype-finally.js [modify] https://crrev.com/8c3c1b6c0f3e9b31ef586cff5fcfb0693d209891/test/mjsunit/mjsunit.js [modify] https://crrev.com/8c3c1b6c0f3e9b31ef586cff5fcfb0693d209891/test/mjsunit/regress/regress-crbug-807096.js [modify] https://crrev.com/8c3c1b6c0f3e9b31ef586cff5fcfb0693d209891/test/mjsunit/regress/regress-crbug-830565.js [add] https://crrev.com/8c3c1b6c0f3e9b31ef586cff5fcfb0693d209891/test/mjsunit/test-async.js
,
Oct 29
|
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by ClusterFuzz
, Oct 15 2017