DCHECK failure in !it.done() in wasm-objects.cc |
||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6695129766428672 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: !it.done() in wasm-objects.cc v8::internal::WasmExportedFunction::GetWasmCode v8::internal::wasm::MakeWasmToWasmWrapper Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=44043:44044 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6695129766428672 Issue manually filed by: ishell See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 31 2017
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 31 2017
,
Nov 2 2017
Since this also requires --wasm-lazy-compilation flag, should it be considered a security bug?
,
Nov 2 2017
c4: I think we can remove the security label, since --wasm-lazy-compilation is not shipping.
,
Nov 2 2017
,
Nov 2 2017
Thanks titzer@
,
Nov 7 2017
,
Nov 7 2017
,
Nov 7 2017
,
Nov 15 2017
,
Nov 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/77b0baa6494d528a6b892160703edb087473efcd commit 77b0baa6494d528a6b892160703edb087473efcd Author: Clemens Hammacher <clemensh@chromium.org> Date: Thu Nov 16 11:16:58 2017 [wasm] Fix importing wasm-lazy-compile stubs If two modules use lazy compilation, and one imports a function of another, we are unwrapping the js-to-wasm wrapper of the export. This was failing so far, because during unwrapping we did not find the wasm code. This CL fixes this by also recognizing WasmCompileLazy stubs as "wasm code". R=ahaas@chromium.org Bug: chromium:779569 , v8:5991 Change-Id: If2260c3721e3746a7635b9d0182fd520df2fb773 Reviewed-on: https://chromium-review.googlesource.com/771672 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#49405} [modify] https://crrev.com/77b0baa6494d528a6b892160703edb087473efcd/src/wasm/module-compiler.cc [modify] https://crrev.com/77b0baa6494d528a6b892160703edb087473efcd/src/wasm/wasm-objects.cc [add] https://crrev.com/77b0baa6494d528a6b892160703edb087473efcd/test/mjsunit/wasm/lazy-compilation.js
,
Nov 16 2017
,
Nov 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/0d5d2a1ede88d80e809fc65d211ef429932dc0b5 commit 0d5d2a1ede88d80e809fc65d211ef429932dc0b5 Author: Clemens Hammacher <clemensh@chromium.org> Date: Thu Nov 16 12:07:36 2017 Revert "[wasm] Fix importing wasm-lazy-compile stubs" This reverts commit 77b0baa6494d528a6b892160703edb087473efcd. Reason for revert: Breaks on win64 bot: https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8%2FV8_Win64_-_debug%2F20172%2F%2B%2Frecipes%2Fsteps%2FCheck%2F0%2Flogs%2Flazy-compilation%2F0 Original change's description: > [wasm] Fix importing wasm-lazy-compile stubs > > If two modules use lazy compilation, and one imports a function of > another, we are unwrapping the js-to-wasm wrapper of the export. This > was failing so far, because during unwrapping we did not find the wasm > code. > This CL fixes this by also recognizing WasmCompileLazy stubs as "wasm > code". > > R=ahaas@chromium.org > > Bug: chromium:779569 , v8:5991 > Change-Id: If2260c3721e3746a7635b9d0182fd520df2fb773 > Reviewed-on: https://chromium-review.googlesource.com/771672 > Commit-Queue: Clemens Hammacher <clemensh@chromium.org> > Reviewed-by: Andreas Haas <ahaas@chromium.org> > Cr-Commit-Position: refs/heads/master@{#49405} TBR=ahaas@chromium.org,clemensh@chromium.org Change-Id: If5ab7b9de95ef662a65a6a5b919fa1f13aa492cd No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:779569 , v8:5991 Reviewed-on: https://chromium-review.googlesource.com/774518 Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#49409} [modify] https://crrev.com/0d5d2a1ede88d80e809fc65d211ef429932dc0b5/src/wasm/module-compiler.cc [modify] https://crrev.com/0d5d2a1ede88d80e809fc65d211ef429932dc0b5/src/wasm/wasm-objects.cc [delete] https://crrev.com/243eaf8b060693030e7cce6ab45eaba3f8365ebb/test/mjsunit/wasm/lazy-compilation.js
,
Nov 16 2017
Reverted.
,
Nov 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6802775efcff6c0b48dd9c7df922f38eff676d16 commit 6802775efcff6c0b48dd9c7df922f38eff676d16 Author: Clemens Hammacher <clemensh@chromium.org> Date: Thu Nov 16 18:50:07 2017 Reland "[wasm] Fix importing wasm-lazy-compile stubs" This is a reland of 77b0baa6494d528a6b892160703edb087473efcd. Original change's description: > [wasm] Fix importing wasm-lazy-compile stubs > > If two modules use lazy compilation, and one imports a function of > another, we are unwrapping the js-to-wasm wrapper of the export. This > was failing so far, because during unwrapping we did not find the wasm > code. > This CL fixes this by also recognizing WasmCompileLazy stubs as "wasm > code". > > R=ahaas@chromium.org > > Bug: chromium:779569 , v8:5991 > Change-Id: If2260c3721e3746a7635b9d0182fd520df2fb773 > Reviewed-on: https://chromium-review.googlesource.com/771672 > Commit-Queue: Clemens Hammacher <clemensh@chromium.org> > Reviewed-by: Andreas Haas <ahaas@chromium.org> > Cr-Commit-Position: refs/heads/master@{#49405} Bug: chromium:779569 , v8:5991 Change-Id: I4818e933467bd5a040f1514b8fc18db219a092c7 Reviewed-on: https://chromium-review.googlesource.com/774538 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#49426} [modify] https://crrev.com/6802775efcff6c0b48dd9c7df922f38eff676d16/src/wasm/module-compiler.cc [modify] https://crrev.com/6802775efcff6c0b48dd9c7df922f38eff676d16/src/wasm/wasm-objects.cc [add] https://crrev.com/6802775efcff6c0b48dd9c7df922f38eff676d16/test/mjsunit/wasm/lazy-compilation.js
,
Nov 16 2017
,
Nov 17 2017
ClusterFuzz has detected this issue as fixed in range 49425:49426. Detailed report: https://clusterfuzz.com/testcase?key=6695129766428672 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: !it.done() in wasm-objects.cc v8::internal::WasmExportedFunction::GetWasmCode v8::internal::wasm::MakeWasmToWasmWrapper Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=44043:44044 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49425:49426 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6695129766428672 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 17 2017
ClusterFuzz testcase 6695129766428672 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 17 2017
,
Feb 24 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by ishell@chromium.org
, Oct 30 2017Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)