New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 813590 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: ----
Type: Bug-Security


Sign in to add a comment

Crash in v8::internal::Code::unwinding_info_size

Project Member Reported by ClusterFuzz, Feb 19 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4739773588307968

Fuzzer: v8_builtins_generator
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x3097c9784588
Crash State:
  v8::internal::Code::unwinding_info_size
  v8::internal::Code::unwinding_info_end
  v8::internal::Code::body_size
  
Sanitizer: cfi (CFI)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=51355:51356

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4739773588307968

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Feb 19 2018

Labels: Test-Predator-Auto-Owner
Owner: gab@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/e9750cb80653827a0c685fe65b9572315fe1d4e4 (Preempt ConcurrentMarking tasks instead of merely pausing in PauseScope.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 2 by gab@chromium.org, Feb 19 2018

Cc: mlippautz@chromium.org u...@chromium.org hpayer@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>GC
Labels: -Restrict-View-SecurityTeam -Security_Severity-Medium
Status: Started (was: Assigned)
Culprit: https://chromium.googlesource.com/v8/v8/+/e9750cb80653827a0c685fe65b9572315fe1d4e4 (Preempt ConcurrentMarking tasks instead of merely pausing in PauseScope.).

That CL was reverted already but was about to reland @ https://chromium-review.googlesource.com/c/v8/v8/+/925267.

The error is:

UndefinedBehaviorSanitizer:DEADLYSIGNAL
==27867==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x3097c9784588 (pc 0x7f970dd098a0 bp 0x7fff2e681ec0 sp 0x7fff2e681eb0 T27867)
==27867==The signal is caused by a READ memory access.
#0 0x7f970dd0989f in v8::internal::Code::unwinding_info_size() const src/objects/code-inl.h:223:7
#1 0x7f970dd09839 in v8::internal::Code::unwinding_info_end() const src/objects/code-inl.h:240:35
#2 0x7f970dd0977a in v8::internal::Code::body_size() const src/objects/code-inl.h:246:30
#3 0x7f970dd09528 in v8::internal::Code::CodeSize() const src/objects/code-inl.h:285:45
#4 0x7f970e0769d7 in EvacuateObject src/heap/scavenger-inl.h:204:22
#5 0x7f970e0769d7 in v8::internal::Scavenger::ScavengeObject(v8::internal::HeapObject**, v8::internal::HeapObject*) src/heap/scavenger-inl.h:241
#6 0x7f970e07695a in v8::internal::RootScavengeVisitor::VisitRootPointers(v8::internal::Root, char const*, v8::internal::Object**, v8::internal::Object**) src/heap/scavenger.cc:171:42
#7 0x7f970dfff614 in v8::internal::JavaScriptFrame::Iterate(v8::internal::RootVisitor*) const src/frames.cc:2133:3
#8 0x7f970e0cf573 in v8::internal::Isolate::Iterate(v8::internal::RootVisitor*, v8::internal::ThreadLocalTop*) src/isolate.cc:241:17
#9 0x7f970e029a47 in v8::internal::Heap::IterateStrongRoots(v8::internal::RootVisitor*, v8::internal::VisitMode) src/heap/heap.cc:5044:13
#10 0x7f970e022c97 in v8::internal::Heap::IterateRoots(v8::internal::RootVisitor*, v8::internal::VisitMode) src/heap/heap.cc:4951:3
#11 0x7f970e0206a9 in v8::internal::Heap::Scavenge() src/heap/heap.cc:2069:7
#12 0x7f970e01db45 in v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::GCCallbackFlags) src/heap/heap.cc:1667:11
#13 0x7f970e01cc5a in v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) src/heap/heap.cc:1317:11
#14 0x7f970dfdba46 in v8::internal::Factory::NewFillerObject(int, bool, v8::internal::AllocationSpace) src/factory.cc:91:3
#15 0x7f970e24a2d4 in __RT_impl_Runtime_AllocateInNewSpace src/runtime/runtime-internal.cc:286:31
#16 0x7f970e24a2d4 in v8::internal::Runtime_AllocateInNewSpace(int, v8::internal::Object**, v8::internal::Isolate*) src/runtime/runtime-internal.cc:279
#17 0x2ee1e7a8431c  (<unknown module>)

Ideas?

Comment 3 by u...@chromium.org, Feb 19 2018

Very strange. Could it be uncovering a bug in Scavenger? (now that there are more parallel tasks)

Comment 4 by u...@chromium.org, Feb 19 2018

Scavenger should not evacuate a code object.

Comment 5 by gab@chromium.org, Feb 19 2018

Owner: mlippautz@chromium.org
Status: Assigned (was: Started)
Michael said he's looking.
Cc: -hpayer@chromium.org gab@chromium.org
Owner: hpayer@chromium.org
Assigning to memory sheriff (secondary).

Comment 7 by gab@chromium.org, Feb 19 2018

Should I reland https://chromium-review.googlesource.com/c/v8/v8/+/925267 regardless? Since it doesn't appear immediately related but might be enhancing?

Comment 8 by gab@chromium.org, Feb 19 2018

Potentially related, other fuzzing bugs with same CL :  issue 813592 ,  issue 813593 ,  issue 813600 .

Comment 9 by gab@chromium.org, Feb 19 2018

One more :  issue 813605 

Comment 10 by gab@chromium.org, Feb 19 2018

And two more :  issue 813610 ,  issue 813611 

(don't know if all related but all from same CL)
Project Member

Comment 12 by ClusterFuzz, Feb 20 2018

ClusterFuzz has detected this issue as fixed in range 51362:51363.

Detailed report: https://clusterfuzz.com/testcase?key=4739773588307968

Fuzzer: v8_builtins_generator
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x3097c9784588
Crash State:
  v8::internal::Code::unwinding_info_size
  v8::internal::Code::unwinding_info_end
  v8::internal::Code::body_size
  
Sanitizer: cfi (CFI)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=51355:51356
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=51362:51363

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4739773588307968

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by ClusterFuzz, Feb 20 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4739773588307968 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 14 by sheriffbot@chromium.org, Feb 20 2018

Labels: Restrict-View-SecurityNotify
...
[241784:0x55b72e1bccb0]     2155 ms: [IncrementalMarking] Step in v8 512KB (385KB) in 0.2
[241784:0x55b72e1bccb0]     2155 ms: Concurrently marked 128491KB
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2155 ms: [IncrementalMarking] Step in v8 0KB (385KB) in 0.0
[241784:0x55b72e1bccb0]     2155 ms: Concurrently marked 128491KB
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2155 ms: [IncrementalMarking] Step in v8 512KB (385KB) in 0.2
[241784:0x55b72e1bccb0]     2155 ms: Concurrently marked 128491KB
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2155 ms: [IncrementalMarking] Step in v8 0KB (386KB) in 0.0
[241784:0x55b72e1bccb0]     2155 ms: Concurrently marked 128491KB
[241784:0x55b72e1bccb0]     2155 ms: [IncrementalMarking] Complete (normal).
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2155 ms: [IncrementalMarking] Step in v8 256KB (386KB) in 0.1
[241784:0x55b72e1bccb0]     2155 ms: Concurrently marked 128491KB
[241784:0x55b72e1bccb0]     2156 ms: [IncrementalMarking] Stopping: old generation 173MB, limit 133MB, overshoot 40MB
[241784:0x55b72e1bccb0]     2156 ms: [IncrementalMarking] Black allocation finished
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2174 ms: Mark-sweep 182.1 (380.3) -> 178.6 (375.8) MB, 19.1 / 0.0 ms  (+ 64.6 ms in 145 steps since start of marking, biggest step 34.4 ms, walltime since start of marking 235 ms) finalize incremental marking via stack guard GC in old space requested
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2197 ms: Scavenge 187.0 (375.8) -> 183.4 (383.3) MB, 21.6 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2218 ms: Scavenge 190.7 (383.3) -> 186.6 (391.8) MB, 20.5 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2237 ms: Scavenge 195.0 (391.8) -> 191.4 (399.3) MB, 18.5 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2256 ms: Scavenge 198.7 (399.3) -> 194.6 (407.8) MB, 17.8 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2273 ms: Scavenge 203.0 (407.8) -> 199.4 (415.3) MB, 16.7 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2290 ms: Scavenge 206.7 (415.3) -> 202.6 (423.8) MB, 16.6 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2306 ms: Scavenge 211.0 (423.8) -> 207.4 (431.3) MB, 15.7 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2322 ms: Scavenge 214.7 (431.3) -> 210.6 (440.3) MB, 15.6 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2338 ms: Scavenge 219.0 (440.3) -> 215.4 (447.8) MB, 15.2 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2354 ms: Scavenge 222.7 (447.8) -> 218.6 (456.3) MB, 15.0 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2369 ms: Scavenge 227.0 (456.3) -> 223.4 (463.8) MB, 14.5 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2383 ms: Scavenge 230.7 (463.8) -> 226.6 (472.3) MB, 14.2 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2398 ms: Scavenge 235.0 (472.3) -> 231.4 (479.8) MB, 13.6 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2412 ms: Scavenge 238.7 (479.8) -> 234.6 (488.3) MB, 13.8 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2426 ms: Scavenge 243.0 (488.3) -> 239.4 (495.8) MB, 13.6 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2440 ms: Scavenge 246.8 (495.8) -> 242.6 (504.3) MB, 13.6 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2454 ms: Scavenge 251.0 (504.3) -> 247.4 (511.8) MB, 13.1 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2468 ms: Scavenge 254.8 (511.8) -> 250.6 (520.3) MB, 13.7 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2481 ms: Scavenge 259.0 (520.3) -> 255.4 (527.8) MB, 12.7 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2494 ms: Scavenge 262.8 (527.8) -> 258.6 (536.3) MB, 12.8 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2507 ms: Scavenge 267.0 (536.3) -> 263.4 (543.8) MB, 12.5 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2520 ms: Scavenge 270.8 (543.8) -> 266.6 (552.3) MB, 12.5 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2533 ms: Scavenge 275.0 (552.3) -> 271.4 (559.8) MB, 12.6 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2546 ms: Scavenge 278.8 (559.8) -> 274.6 (568.3) MB, 12.5 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2559 ms: Scavenge 283.0 (568.3) -> 279.4 (575.8) MB, 12.3 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2572 ms: Scavenge 286.8 (575.8) -> 282.7 (584.3) MB, 12.8 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2586 ms: Scavenge 291.0 (584.3) -> 287.4 (591.8) MB, 12.7 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2599 ms: Scavenge 294.8 (591.8) -> 290.7 (600.3) MB, 13.0 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2613 ms: Scavenge 299.0 (600.3) -> 295.4 (607.8) MB, 13.0 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2626 ms: Scavenge 302.8 (607.8) -> 298.7 (616.3) MB, 12.9 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2639 ms: Scavenge 307.0 (616.3) -> 303.4 (623.8) MB, 13.0 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2653 ms: Scavenge 310.8 (623.8) -> 306.7 (632.3) MB, 12.9 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2666 ms: Scavenge 315.0 (632.3) -> 311.4 (639.8) MB, 13.2 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2680 ms: Scavenge 318.8 (639.8) -> 314.7 (648.3) MB, 13.4 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2694 ms: Scavenge 323.0 (648.3) -> 319.4 (656.3) MB, 12.6 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2707 ms: Scavenge 326.8 (656.3) -> 322.7 (664.8) MB, 13.1 / 0.0 ms  allocation failure 
PauseScope
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2720 ms: Scavenge 331.0 (664.8) -> 327.4 (672.3) MB, 12.4 / 0.0 ms  allocation failure 
RescheduleTAsksIFNeeded
[241784:0x55b72e1bccb0]     2780 ms: Scheduling concurrent marking task 1
[241784:0x55b72e1bccb0]     2780 ms: Scheduling concurrent marking task 2
[241784:0x55b72e1bccb0]     2780 ms: Starting concurrent marking task 1
[241784:0x55b72e1bccb0]     2780 ms: Starting concurrent marking task 2
[241784:0x55b72e1bccb0]     2780 ms: Scheduling concurrent marking task 3
[241784:0x55b72e1bccb0]     2780 ms: Scheduling concurrent marking task 4
[241784:0x55b72e1bccb0]     2780 ms: Starting concurrent marking task 3
[New Thread 0x7f1588726700 (LWP 241785)]
[New Thread 0x7f1584f1f700 (LWP 241792)]
[New Thread 0x7f1585f21700 (LWP 241790)]
[New Thread 0x7f1586722700 (LWP 241789)]
[New Thread 0x7f1587724700 (LWP 241787)]
[New Thread 0x7f1587f25700 (LWP 241786)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f1588726700 (LWP 241785)]
0x000055b72d8dae73 in v8::internal::ConcurrentMarking::Run(int, v8::internal::ConcurrentMarking::TaskState*) ()
(gdb)
Concurrent marking tasks get suddenly scheduled but marking completed before. This is strange.
This would suggest that https://cs.chromium.org/chromium/src/v8/src/heap/concurrent-marking.cc?type=cs&q=rescheduletasksifneeded&sq=package:chromium&l=554 is not empty?

Comment 17 by u...@chromium.org, Feb 21 2018

This is really strange.

Maybe one path in write barrier is pushing to the worklist even though the marking is not in progress?

Comment 18 by u...@chromium.org, Feb 21 2018

Re #16: I think these concurrent marking tasks are scheduled as part of parallel marking in Mark-Compact pause:

  * frame #0: 0x0000000100cd09ee libv8.dylib`v8::internal::ConcurrentMarking::ScheduleTasks(this=0x0000000103d0f710) at concurrent-marking.cc:503
    frame #1: 0x0000000100cd1103 libv8.dylib`v8::internal::ConcurrentMarking::RescheduleTasksIfNeeded(this=0x0000000103d0f710) at concurrent-marking.cc:543
    frame #2: 0x0000000100d7887a libv8.dylib`v8::internal::MarkCompactCollector::MarkLiveObjects(this=0x000000010406fa00) at mark-compact.cc:2359
    frame #3: 0x0000000100d77c18 libv8.dylib`v8::internal::MarkCompactCollector::CollectGarbage(this=0x000000010406fa00) at mark-compact.cc:547
    frame #4: 0x0000000100cf833e libv8.dylib`v8::internal::Heap::MarkCompact(this=0x000000010402ec20) at heap.cc:1775
    frame #5: 0x0000000100cf4c60 libv8.dylib`v8::internal::Heap::PerformGarbageCollection(this=0x000000010402ec20, collector=MARK_COMPACTOR, gc_callback_flags=kNoGCCallbackFlags) at heap.cc:1639

Labels: Security_Severity-Medium Security_Impact-None
Setting some labels for posterity. Thanks.
Project Member

Comment 20 by sheriffbot@chromium.org, May 29 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment