New issue
Advanced search Search tips

Issue 793551 link

Starred by 1 user
Status: Verified
Owner:
clemensh@chromium.org
Closed: Dec 2017
Cc:
adamk@chromium.org
titzer@chromium.org
dschuff@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

DCHECK failure in !move_dst_regs.has(dst) in liftoff-assembler.cc

Project Member Reported by ClusterFuzz, Dec 9 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6262536491237376

Fuzzer: libFuzzer_v8_wasm_call_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !move_dst_regs.has(dst) in liftoff-assembler.cc
  MoveRegister
  LoadIntoRegister
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=521282:521293

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6262536491237376

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

Comment 1 by elawrence@chromium.org, Dec 9 2017

Components: Blink>JavaScript>WebAssembly
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)
Looks like this was introduced in https://chromium.googlesource.com/v8/v8/+/bc293c246ac4cf99442a6f5d8b7c0e0ebc7c4fe7%5E%21/#F9
Project Member

Comment 2 by sheriffbot@chromium.org, Dec 9 2017

Labels: M-64
Project Member

Comment 3 by sheriffbot@chromium.org, Dec 9 2017

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Dec 9 2017

Labels: Pri-1
Project Member

Comment 5 by sheriffbot@chromium.org, Dec 10 2017

Labels: -Security_Impact-Head Security_Impact-Beta

Comment 6 by clemensh@chromium.org, Dec 11 2017

Labels: -Type-Bug-Security -Pri-1 -Restrict-View-SecurityTeam -Security_Severity-High -Security_Impact-Beta -ReleaseBlock-Stable Security_Impact-None Pri-2 Type-Bug
Liftoff is disabled by default, lowering priority.
Project Member

Comment 7 by bugdroid1@chromium.org, Dec 11 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9678c5320dede7641f525e9849da619956433124

commit 9678c5320dede7641f525e9849da619956433124
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Mon Dec 11 13:47:02 2017

[Liftoff] Fix redundant register moves

Moving a register to itself is not only unnecessary overhead, it also
breaks invariants in the StackTransferRecipe.

R=ahaas@chromium.org

Bug: v8:6600,  chromium:793551 
Change-Id: I659fd66b4f2d4564c437ed9fb048322af4299d97
Reviewed-on: https://chromium-review.googlesource.com/819231
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49992}
[modify] https://crrev.com/9678c5320dede7641f525e9849da619956433124/src/wasm/baseline/liftoff-assembler.cc
[add] https://crrev.com/9678c5320dede7641f525e9849da619956433124/test/mjsunit/regress/wasm/regress-793551.js

Comment 8 by clemensh@chromium.org, Dec 11 2017

Status: Fixed (was: Assigned)
Project Member

Comment 9 by ClusterFuzz, Dec 12 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6262536491237376 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment