Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.


Thank You...

It seems to be a crash in fuzzer specific code.

My guess would be that this is failing somewhere like

BlockingMutex::Unlock()

and likely because somehow a thread is created in the process without going through the ASAN runtime's patch.

I can reproduce this relatively reliably using only V8 on my windows laptop with the following build configuration:

is_asan = true
is_clang = true
is_component_build = false
is_debug = false
target_cpu = "x64"
use_goma = true
symbol_level = 2

and then running 


FOR /L %%x IN (1,1,10) DO out.gn\msan\cctest.exe test-lockers/ExtensionsRegistration --random-seed=-561856424 --invoke-weak-callbacks --omit-quit --stress-opt --always-opt --nohard-abort

which 1 out of 10 times produces a backtrace like:

C:\src\v8>out.gn\msan\cctest.exe test-lockers/ExtensionsRegistration --random-seed=-561856424 --invoke-weak-callbacks --omit-quit --stress-opt --always-opt --nohard-abort
==17776==AddressSanitizer CHECK failed: C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_win.cc:802 "((owner_)) == ((GetThreadSelf()))" (0xffffffffffffffff, 0x1f74)
    #0 0x7ff617d08e50 in __asan::AsanCheckFailed C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_rtl.cc:74
    #1 0x7ff617cf7acb in __sanitizer::CheckFailed C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_termination.cc:79
    #2 0x7ff617cf9421 in __sanitizer::BlockingMutex::Unlock C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_win.cc:802
    #3 0x7ff617d23b32 in __sanitizer::SizeClassAllocator64<__asan::AP64>::GetFromAllocator C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_allocator_primary64.h:154
    #4 0x7ff617d23897 in __sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >::Refill C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_allocator_local_cache.h:110
    #5 0x7ff617d23415 in __sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >::Allocate C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_allocator_local_cache.h:46
    #6 0x7ff617d1f980 in __asan::Allocator::Allocate C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_allocator.cc:453
    #7 0x7ff617d1f60c in __asan::asan_malloc C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_allocator.cc:876
    #8 0x7ff617d0dc9c in malloc C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:61
    #9 0x7ff61807691a in operator new f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp:35
    #10 0x7ff61652e74e in v8::internal::compiler::Pipeline::NewCompilationJob C:\src\v8\src\compiler\pipeline.cc:2249
    #11 0x7ff616048696 in v8::internal::`anonymous namespace'::GetOptimizedCode C:\src\v8\src\compiler.cc:712
    #12 0x7ff61604bb70 in v8::internal::Compiler::CompileOptimized C:\src\v8\src\compiler.cc:1175
    #13 0x7ff617326ee9 in v8::internal::Runtime_CompileOptimized_NotConcurrent C:\src\v8\src\runtime\runtime-compiler.cc:79
    #14 0x7ff617c36491 in v8::internal::Snapshot::DefaultSnapshotBlob+0x938d1 (C:\src\v8\out.gn\msan\cctest.exe+0x143476491)

OR

C:\src\v8>out.gn\msan\d8.exe --test test\mjsunit\mjsunit.js test\mjsunit\regress/regress-crbug-487105.js --random-seed=-561856424 --invoke-weak-callbacks --omit-quit --stress-background-compile --nohard-abort
==13712==AddressSanitizer CHECK failed: C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_win.cc:802 "((owner_)) == ((GetThreadSelf()))" (0xffffffffffffffff, 0x6e7c)
==13712==*** WARNING: Failed to initialize DbgHelp!              ***
==13712==*** Most likely this means that the app is already      ***
==13712==*** using DbgHelp, possibly with incompatible flags.    ***
==13712==*** Due to technical reasons, symbolization might crash ***
==13712==*** or produce wrong results.                           ***
    #0 0x7ff6ee4fa8d0 in __asan::AsanCheckFailed C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_rtl.cc:74
    #1 0x7ff6ee4e954b in __sanitizer::CheckFailed C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_termination.cc:79
    #2 0x7ff6ee4eaea1 in __sanitizer::BlockingMutex::Unlock C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_win.cc:802
    #3 0x7ff6ee5155b2 in __sanitizer::SizeClassAllocator64<__asan::AP64>::GetFromAllocator C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_allocator_primary64.h:154
    #4 0x7ff6ee515317 in __sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >::Refill C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_allocator_local_cache.h:110
    #5 0x7ff6ee514e95 in __sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >::Allocate C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_allocator_local_cache.h:46
    #6 0x7ff6ee511400 in __asan::Allocator::Allocate C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_allocator.cc:453
    #7 0x7ff6ee51108c in __asan::asan_malloc C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_allocator.cc:876
    #8 0x7ff6ee4ff71c in malloc C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:61
    #9 0x7ff6ec5b8d95 in v8::internal::AllocWithRetry C:\src\v8\src\allocation.cc:101
    #10 0x7ff6ee10390d in v8::internal::AccountingAllocator::GetSegment C:\src\v8\src\zone\accounting-allocator.cc:77
    #11 0x7ff6ee104278 in v8::internal::Zone::NewExpand C:\src\v8\src\zone\zone.cc:151
    #12 0x7ff6ee1040b6 in v8::internal::Zone::New C:\src\v8\src\zone\zone.cc:64
    #13 0x7ff6ec70ffa7 in v8::internal::DeclarationScope::AnalyzePartially C:\src\v8\src\ast\scopes.cc:1565
    #14 0x7ff6ed8e00cc in v8::internal::Parser::ParseFunctionLiteral C:\src\v8\src\parsing\parser.cc:2640
    #15 0x7ff6ed9577c3 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberExpression C:\src\v8\src\parsing\parser-base.h:3579
    #16 0x7ff6ed952599 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberWithNewPrefixesExpression C:\src\v8\src\parsing\parser-base.h:3528
    #17 0x7ff6ed94c93b in v8::internal::ParserBase<v8::internal::Parser>::ParseLeftHandSideExpression C:\src\v8\src\parsing\parser-base.h:3339
    #18 0x7ff6ed988b16 in v8::internal::ParserBase<v8::internal::Parser>::ParsePostfixExpression C:\src\v8\src\parsing\parser-base.h:3309
    #19 0x7ff6ed98649c in v8::internal::ParserBase<v8::internal::Parser>::ParseUnaryExpression C:\src\v8\src\parsing\parser-base.h:3298
    #20 0x7ff6ed984f1d in v8::internal::ParserBase<v8::internal::Parser>::ParseBinaryExpression C:\src\v8\src\parsing\parser-base.h:3156
    #21 0x7ff6ed982ce4 in v8::internal::ParserBase<v8::internal::Parser>::ParseConditionalExpression C:\src\v8\src\parsing\parser-base.h:3117
    #22 0x7ff6ed8f7f19 in v8::internal::ParserBase<v8::internal::Parser>::ParseAssignmentExpression C:\src\v8\src\parsing\parser-base.h:2896
    #23 0x7ff6ed8f9406 in v8::internal::ParserBase<v8::internal::Parser>::ParseAssignmentExpression C:\src\v8\src\parsing\parser-base.h:3003
    #24 0x7ff6ed936bc9 in v8::internal::ParserBase<v8::internal::Parser>::ParseExpressionCoverGrammar C:\src\v8\src\parsing\parser-base.h:2036
    #25 0x7ff6ed972144 in v8::internal::ParserBase<v8::internal::Parser>::ParseExpressionOrLabelledStatement C:\src\v8\src\parsing\parser-base.h:5219
    #26 0x7ff6ed95dc3a in v8::internal::ParserBase<v8::internal::Parser>::ParseStatement C:\src\v8\src\parsing\parser-base.h:5081
    #27 0x7ff6ed929fff in v8::internal::ParserBase<v8::internal::Parser>::ParseStatementList C:\src\v8\src\parsing\parser-base.h:4876
    #28 0x7ff6ed91b05c in v8::internal::ParserBase<v8::internal::Parser>::ParseFunctionBody C:\src\v8\src\parsing\parser-base.h:4216
    #29 0x7ff6ed912fa0 in v8::internal::Parser::ParseFunction C:\src\v8\src\parsing\parser.cc:3126
    #30 0x7ff6ed8e0073 in v8::internal::Parser::ParseFunctionLiteral C:\src\v8\src\parsing\parser.cc:2642
    #31 0x7ff6ed9577c3 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberExpression C:\src\v8\src\parsing\parser-base.h:3579
    #32 0x7ff6ed952599 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberWithNewPrefixesExpression C:\src\v8\src\parsing\parser-base.h:3528
    #33 0x7ff6ed94c93b in v8::internal::ParserBase<v8::internal::Parser>::ParseLeftHandSideExpression C:\src\v8\src\parsing\parser-base.h:3339
    #34 0x7ff6ed988b16 in v8::internal::ParserBase<v8::internal::Parser>::ParsePostfixExpression C:\src\v8\src\parsing\parser-base.h:3309
    #35 0x7ff6ed98649c in v8::internal::ParserBase<v8::internal::Parser>::ParseUnaryExpression C:\src\v8\src\parsing\parser-base.h:3298
    #36 0x7ff6ed984f1d in v8::internal::ParserBase<v8::internal::Parser>::ParseBinaryExpression C:\src\v8\src\parsing\parser-base.h:3156
    #37 0x7ff6ed982ce4 in v8::internal::ParserBase<v8::internal::Parser>::ParseConditionalExpression C:\src\v8\src\parsing\parser-base.h:3117
    #38 0x7ff6ed8f7f19 in v8::internal::ParserBase<v8::internal::Parser>::ParseAssignmentExpression C:\src\v8\src\parsing\parser-base.h:2896
    #39 0x7ff6ed936bc9 in v8::internal::ParserBase<v8::internal::Parser>::ParseExpressionCoverGrammar C:\src\v8\src\parsing\parser-base.h:2036
    #40 0x7ff6ed92cd6f in v8::internal::ParserBase<v8::internal::Parser>::ParsePrimaryExpression C:\src\v8\src\parsing\parser-base.h:1943
    #41 0x7ff6ed9570a9 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberExpression C:\src\v8\src\parsing\parser-base.h:3591
    #42 0x7ff6ed952599 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberWithNewPrefixesExpression C:\src\v8\src\parsing\parser-base.h:3528
    #43 0x7ff6ed94c93b in v8::internal::ParserBase<v8::internal::Parser>::ParseLeftHandSideExpression C:\src\v8\src\parsing\parser-base.h:3339
    #44 0x7ff6ed988b16 in v8::internal::ParserBase<v8::internal::Parser>::ParsePostfixExpression C:\src\v8\src\parsing\parser-base.h:3309
    #45 0x7ff6ed98649c in v8::internal::ParserBase<v8::internal::Parser>::ParseUnaryExpression C:\src\v8\src\parsing\parser-base.h:3298
    #46 0x7ff6ed984f1d in v8::internal::ParserBase<v8::internal::Parser>::ParseBinaryExpression C:\src\v8\src\parsing\parser-base.h:3156
    #47 0x7ff6ed982ce4 in v8::internal::ParserBase<v8::internal::Parser>::ParseConditionalExpression C:\src\v8\src\parsing\parser-base.h:3117
    #48 0x7ff6ed8f7f19 in v8::internal::ParserBase<v8::internal::Parser>::ParseAssignmentExpression C:\src\v8\src\parsing\parser-base.h:2896
    #49 0x7ff6ed936bc9 in v8::internal::ParserBase<v8::internal::Parser>::ParseExpressionCoverGrammar C:\src\v8\src\parsing\parser-base.h:2036
    #50 0x7ff6ed972144 in v8::internal::ParserBase<v8::internal::Parser>::ParseExpressionOrLabelledStatement C:\src\v8\src\parsing\parser-base.h:5219
    #51 0x7ff6ed95dc3a in v8::internal::ParserBase<v8::internal::Parser>::ParseStatement C:\src\v8\src\parsing\parser-base.h:5081
    #52 0x7ff6ed929fff in v8::internal::ParserBase<v8::internal::Parser>::ParseStatementList C:\src\v8\src\parsing\parser-base.h:4876
    #53 0x7ff6ed8db3ba in v8::internal::Parser::DoParseProgram C:\src\v8\src\parsing\parser.cc:595
    #54 0x7ff6ed8da066 in v8::internal::Parser::ParseProgram C:\src\v8\src\parsing\parser.cc:511
    #55 0x7ff6ed990b3e in v8::internal::parsing::ParseProgram C:\src\v8\src\parsing\parsing.cc:39
    #56 0x7ff6ec91a426 in v8::internal::`anonymous namespace'::CompileToplevel C:\src\v8\src\compiler.cc:894
    #57 0x7ff6ec91e9b5 in v8::internal::Compiler::GetSharedFunctionInfoForScript C:\src\v8\src\compiler.cc:1676
    #58 0x7ff6ec5da1a7 in v8::ScriptCompiler::CompileUnboundInternal C:\src\v8\src\api.cc:2519
    #59 0x7ff6ec5dc167 in v8::ScriptCompiler::Compile C:\src\v8\src\api.cc:2550
    #60 0x7ff6ec53f89c in v8::Shell::ExecuteString C:\src\v8\src\d8.cc:550
    #61 0x7ff6ec566230 in v8::SourceGroup::Execute C:\src\v8\src\d8.cc:2489
    #62 0x7ff6ec56ce89 in v8::Shell::RunMain C:\src\v8\src\d8.cc:2961
    #63 0x7ff6ec572061 in v8::Shell::Main C:\src\v8\src\d8.cc:3480
    #64 0x7ff6ee86eb0f in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283
    #65 0x7ff9b5011fe3 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180011fe3)
    #66 0x7ff9b77bcb30 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x18006cb30)

I am currently trying to understand whether this is caused by a th

...thread that by-passes asan instrumentation.

I also get the following behavior:

C:\src\v8>out.gn\msan\cctest.exe test-lockers/ExtensionsRegistration --random-seed=-561856424 --invoke-weak-callbacks --omit-quit --stress-opt --always-opt --nohard-abort
==15380==AddressSanitizer CHECK failed: C:\b\rr\tmp1qy3j0\w\src\third_party\llvm\projects\compiler-rt\lib\asan\..\sanitizer_common/sanitizer_allocator_primary64.h:756 "((region->allocated_user)) <= ((region->mapped_user))" (0x40000, 0x20000)

ClusterFuzz testcase 6572031968804864 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.