New issue
Advanced search Search tips

Issue 779569 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Nov 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

DCHECK failure in !it.done() in wasm-objects.cc

Project Member Reported by ClusterFuzz, Oct 30 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6695129766428672

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !it.done() in wasm-objects.cc
  v8::internal::WasmExportedFunction::GetWasmCode
  v8::internal::wasm::MakeWasmToWasmWrapper
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=44043:44044

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6695129766428672

Issue manually filed by: ishell

See https://github.com/google/clusterfuzz-tools for more information.
 

Comment 1 by ishell@chromium.org, Oct 30 2017

Cc: ishell@chromium.org titzer@chromium.org
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)
CF points to 8255fb5e9895ef1603ac5504a2affc5cfdcd3b70 but it may also be a duplicate of  issue 775101 .
Project Member

Comment 2 by ClusterFuzz, Oct 31 2017

Components: Blink>JavaScript>WebAssembly
Labels: Test-Predator-AutoComponents
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 31 2017

Labels: Pri-1

Comment 4 by vakh@chromium.org, Nov 2 2017

Since this also requires --wasm-lazy-compilation flag, should it be considered a security bug?
c4: I think we can remove the security label, since --wasm-lazy-compilation is not shipping.

Comment 6 by vakh@chromium.org, Nov 2 2017

Labels: -Type-Bug-Security -Security_Severity-High Type-Bug

Comment 7 by vakh@chromium.org, Nov 2 2017

Thanks titzer@
Labels: Test-Predator-Auto-CC
Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components
Labels: -Test-Predator-Auto-CC
Status: Started (was: Assigned)
Project Member

Comment 12 by bugdroid1@chromium.org, Nov 16 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/77b0baa6494d528a6b892160703edb087473efcd

commit 77b0baa6494d528a6b892160703edb087473efcd
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Thu Nov 16 11:16:58 2017

[wasm] Fix importing wasm-lazy-compile stubs

If two modules use lazy compilation, and one imports a function of
another, we are unwrapping the js-to-wasm wrapper of the export. This
was failing so far, because during unwrapping we did not find the wasm
code.
This CL fixes this by also recognizing WasmCompileLazy stubs as "wasm
code".

R=ahaas@chromium.org

Bug:  chromium:779569 ,  v8:5991 
Change-Id: If2260c3721e3746a7635b9d0182fd520df2fb773
Reviewed-on: https://chromium-review.googlesource.com/771672
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49405}
[modify] https://crrev.com/77b0baa6494d528a6b892160703edb087473efcd/src/wasm/module-compiler.cc
[modify] https://crrev.com/77b0baa6494d528a6b892160703edb087473efcd/src/wasm/wasm-objects.cc
[add] https://crrev.com/77b0baa6494d528a6b892160703edb087473efcd/test/mjsunit/wasm/lazy-compilation.js

Status: Fixed (was: Started)
Project Member

Comment 14 by bugdroid1@chromium.org, Nov 16 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/0d5d2a1ede88d80e809fc65d211ef429932dc0b5

commit 0d5d2a1ede88d80e809fc65d211ef429932dc0b5
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Thu Nov 16 12:07:36 2017

Revert "[wasm] Fix importing wasm-lazy-compile stubs"

This reverts commit 77b0baa6494d528a6b892160703edb087473efcd.

Reason for revert: Breaks on win64 bot: https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8%2FV8_Win64_-_debug%2F20172%2F%2B%2Frecipes%2Fsteps%2FCheck%2F0%2Flogs%2Flazy-compilation%2F0

Original change's description:
> [wasm] Fix importing wasm-lazy-compile stubs
> 
> If two modules use lazy compilation, and one imports a function of
> another, we are unwrapping the js-to-wasm wrapper of the export. This
> was failing so far, because during unwrapping we did not find the wasm
> code.
> This CL fixes this by also recognizing WasmCompileLazy stubs as "wasm
> code".
> 
> R=​ahaas@chromium.org
> 
> Bug:  chromium:779569 ,  v8:5991 
> Change-Id: If2260c3721e3746a7635b9d0182fd520df2fb773
> Reviewed-on: https://chromium-review.googlesource.com/771672
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49405}

TBR=ahaas@chromium.org,clemensh@chromium.org

Change-Id: If5ab7b9de95ef662a65a6a5b919fa1f13aa492cd
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  chromium:779569 ,  v8:5991 
Reviewed-on: https://chromium-review.googlesource.com/774518
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49409}
[modify] https://crrev.com/0d5d2a1ede88d80e809fc65d211ef429932dc0b5/src/wasm/module-compiler.cc
[modify] https://crrev.com/0d5d2a1ede88d80e809fc65d211ef429932dc0b5/src/wasm/wasm-objects.cc
[delete] https://crrev.com/243eaf8b060693030e7cce6ab45eaba3f8365ebb/test/mjsunit/wasm/lazy-compilation.js

Status: Started (was: Fixed)
Reverted.
Project Member

Comment 16 by bugdroid1@chromium.org, Nov 16 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6802775efcff6c0b48dd9c7df922f38eff676d16

commit 6802775efcff6c0b48dd9c7df922f38eff676d16
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Thu Nov 16 18:50:07 2017

Reland "[wasm] Fix importing wasm-lazy-compile stubs"

This is a reland of 77b0baa6494d528a6b892160703edb087473efcd.

Original change's description:
> [wasm] Fix importing wasm-lazy-compile stubs
>
> If two modules use lazy compilation, and one imports a function of
> another, we are unwrapping the js-to-wasm wrapper of the export. This
> was failing so far, because during unwrapping we did not find the wasm
> code.
> This CL fixes this by also recognizing WasmCompileLazy stubs as "wasm
> code".
>
> R=ahaas@chromium.org
>
> Bug:  chromium:779569 ,  v8:5991 
> Change-Id: If2260c3721e3746a7635b9d0182fd520df2fb773
> Reviewed-on: https://chromium-review.googlesource.com/771672
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49405}

Bug:  chromium:779569 ,  v8:5991 
Change-Id: I4818e933467bd5a040f1514b8fc18db219a092c7
Reviewed-on: https://chromium-review.googlesource.com/774538
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49426}
[modify] https://crrev.com/6802775efcff6c0b48dd9c7df922f38eff676d16/src/wasm/module-compiler.cc
[modify] https://crrev.com/6802775efcff6c0b48dd9c7df922f38eff676d16/src/wasm/wasm-objects.cc
[add] https://crrev.com/6802775efcff6c0b48dd9c7df922f38eff676d16/test/mjsunit/wasm/lazy-compilation.js

Status: Fixed (was: Started)
Project Member

Comment 18 by ClusterFuzz, Nov 17 2017

ClusterFuzz has detected this issue as fixed in range 49425:49426.

Detailed report: https://clusterfuzz.com/testcase?key=6695129766428672

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !it.done() in wasm-objects.cc
  v8::internal::WasmExportedFunction::GetWasmCode
  v8::internal::wasm::MakeWasmToWasmWrapper
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=44043:44044
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49425:49426

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6695129766428672

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 19 by ClusterFuzz, Nov 17 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6695129766428672 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 20 by sheriffbot@chromium.org, Nov 17 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 21 by sheriffbot@chromium.org, Feb 24 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment