New issue
Advanced search Search tips

Issue 807383 link

Starred by 1 user
Status: Fixed
Owner:
clemensh@chromium.org
Closed: Feb 2018
Cc:
ahaas@chromium.org
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug


Show other hotlists

Hotlists containing this issue:
Hotlist-2
Hotlist-3


Sign in to add a comment

Timeout in v8_wasm_code_fuzzer

Project Member Reported by ClusterFuzz, Jan 30 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5724418344222720

Fuzzer: libFuzzer_v8_wasm_code_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  v8_wasm_code_fuzzer
  
Sanitizer: memory (MSAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5724418344222720

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.

Comment 1 by brajkumar@chromium.org, Jan 31 2018

Components: Blink>JavaScript
Labels: -Pri-1 Test-Predator-Wrong CF-NeedsTriage Pri-2
Unable to find actual suspect through code search and observing no CL under regression range, hence adding appropriate label and leaving it as untriaged.

Thanks!

Comment 2 by ishell@chromium.org, Jan 31 2018

Cc: mstarzinger@chromium.org
Owner: ahaas@chromium.org
Status: Assigned (was: Untriaged)
PTAL

Comment 3 by ahaas@chromium.org, Feb 2 2018

Status: WontFix (was: Assigned)
I cannot reproduce this issue. I don't think this is actionable.

Comment 4 by clemensh@chromium.org, Feb 7 2018

Cc: ahaas@chromium.org
Owner: clemensh@chromium.org
Status: Started (was: WontFix)
Even though this takes less than two seconds also on my machine, I still looked into this test case, because it is rather slow. It turns out that it executes a number of grow_memory instructions.

We should mitigate this by accounting for the large execution time of grow_memory by treating this as (for example) 1000 regular instructions being executed (as already discussed). This will cause the interpreter to execute less instructions if a maximum of instructions was set.
Project Member

Comment 5 by bugdroid1@chromium.org, Feb 7 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/df95bdb789e7898b1d7b375f5a7fa0f26346d459

commit df95bdb789e7898b1d7b375f5a7fa0f26346d459
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Wed Feb 07 15:58:17 2018

[wasm] [interpreter] Budget grow_memory like 1000 instructions

If the interpreter has an upper limit of instructions to execute, treat
grow_memory like 1000 other instructions in order to account for the
huge execution time of grow_memory.

R=ahaas@chromium.org

Bug:  chromium:807383 
Change-Id: Id513a41257734a3041bef45bbc00c461fdec6787
Reviewed-on: https://chromium-review.googlesource.com/905605
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51149}
[modify] https://crrev.com/df95bdb789e7898b1d7b375f5a7fa0f26346d459/src/wasm/wasm-interpreter.cc

Comment 6 by clemensh@chromium.org, Feb 7 2018

Status: Fixed (was: Started)

Sign in to add a comment