Issue metadata
Sign in to add a comment
|
Crash in v8::internal::Code::unwinding_info_size |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4739773588307968 Fuzzer: v8_builtins_generator Job Type: linux_cfi_d8 Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x3097c9784588 Crash State: v8::internal::Code::unwinding_info_size v8::internal::Code::unwinding_info_end v8::internal::Code::body_size Sanitizer: cfi (CFI) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=51355:51356 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4739773588307968 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Feb 19 2018
Culprit: https://chromium.googlesource.com/v8/v8/+/e9750cb80653827a0c685fe65b9572315fe1d4e4 (Preempt ConcurrentMarking tasks instead of merely pausing in PauseScope.). That CL was reverted already but was about to reland @ https://chromium-review.googlesource.com/c/v8/v8/+/925267. The error is: UndefinedBehaviorSanitizer:DEADLYSIGNAL ==27867==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x3097c9784588 (pc 0x7f970dd098a0 bp 0x7fff2e681ec0 sp 0x7fff2e681eb0 T27867) ==27867==The signal is caused by a READ memory access. #0 0x7f970dd0989f in v8::internal::Code::unwinding_info_size() const src/objects/code-inl.h:223:7 #1 0x7f970dd09839 in v8::internal::Code::unwinding_info_end() const src/objects/code-inl.h:240:35 #2 0x7f970dd0977a in v8::internal::Code::body_size() const src/objects/code-inl.h:246:30 #3 0x7f970dd09528 in v8::internal::Code::CodeSize() const src/objects/code-inl.h:285:45 #4 0x7f970e0769d7 in EvacuateObject src/heap/scavenger-inl.h:204:22 #5 0x7f970e0769d7 in v8::internal::Scavenger::ScavengeObject(v8::internal::HeapObject**, v8::internal::HeapObject*) src/heap/scavenger-inl.h:241 #6 0x7f970e07695a in v8::internal::RootScavengeVisitor::VisitRootPointers(v8::internal::Root, char const*, v8::internal::Object**, v8::internal::Object**) src/heap/scavenger.cc:171:42 #7 0x7f970dfff614 in v8::internal::JavaScriptFrame::Iterate(v8::internal::RootVisitor*) const src/frames.cc:2133:3 #8 0x7f970e0cf573 in v8::internal::Isolate::Iterate(v8::internal::RootVisitor*, v8::internal::ThreadLocalTop*) src/isolate.cc:241:17 #9 0x7f970e029a47 in v8::internal::Heap::IterateStrongRoots(v8::internal::RootVisitor*, v8::internal::VisitMode) src/heap/heap.cc:5044:13 #10 0x7f970e022c97 in v8::internal::Heap::IterateRoots(v8::internal::RootVisitor*, v8::internal::VisitMode) src/heap/heap.cc:4951:3 #11 0x7f970e0206a9 in v8::internal::Heap::Scavenge() src/heap/heap.cc:2069:7 #12 0x7f970e01db45 in v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::GCCallbackFlags) src/heap/heap.cc:1667:11 #13 0x7f970e01cc5a in v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) src/heap/heap.cc:1317:11 #14 0x7f970dfdba46 in v8::internal::Factory::NewFillerObject(int, bool, v8::internal::AllocationSpace) src/factory.cc:91:3 #15 0x7f970e24a2d4 in __RT_impl_Runtime_AllocateInNewSpace src/runtime/runtime-internal.cc:286:31 #16 0x7f970e24a2d4 in v8::internal::Runtime_AllocateInNewSpace(int, v8::internal::Object**, v8::internal::Isolate*) src/runtime/runtime-internal.cc:279 #17 0x2ee1e7a8431c (<unknown module>) Ideas?
,
Feb 19 2018
Very strange. Could it be uncovering a bug in Scavenger? (now that there are more parallel tasks)
,
Feb 19 2018
Scavenger should not evacuate a code object.
,
Feb 19 2018
Michael said he's looking.
,
Feb 19 2018
Assigning to memory sheriff (secondary).
,
Feb 19 2018
Should I reland https://chromium-review.googlesource.com/c/v8/v8/+/925267 regardless? Since it doesn't appear immediately related but might be enhancing?
,
Feb 19 2018
Potentially related, other fuzzing bugs with same CL : issue 813592 , issue 813593 , issue 813600 .
,
Feb 19 2018
One more : issue 813605
,
Feb 19 2018
And two more : issue 813610 , issue 813611 (don't know if all related but all from same CL)
,
Feb 20 2018
And more..! Issue 813622 , issue 813628 , issue 813632 , issue 813633
,
Feb 20 2018
ClusterFuzz has detected this issue as fixed in range 51362:51363. Detailed report: https://clusterfuzz.com/testcase?key=4739773588307968 Fuzzer: v8_builtins_generator Job Type: linux_cfi_d8 Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x3097c9784588 Crash State: v8::internal::Code::unwinding_info_size v8::internal::Code::unwinding_info_end v8::internal::Code::body_size Sanitizer: cfi (CFI) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=51355:51356 Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=51362:51363 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4739773588307968 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 20 2018
ClusterFuzz testcase 4739773588307968 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 20 2018
,
Feb 20 2018
... [241784:0x55b72e1bccb0] 2155 ms: [IncrementalMarking] Step in v8 512KB (385KB) in 0.2 [241784:0x55b72e1bccb0] 2155 ms: Concurrently marked 128491KB RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2155 ms: [IncrementalMarking] Step in v8 0KB (385KB) in 0.0 [241784:0x55b72e1bccb0] 2155 ms: Concurrently marked 128491KB RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2155 ms: [IncrementalMarking] Step in v8 512KB (385KB) in 0.2 [241784:0x55b72e1bccb0] 2155 ms: Concurrently marked 128491KB RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2155 ms: [IncrementalMarking] Step in v8 0KB (386KB) in 0.0 [241784:0x55b72e1bccb0] 2155 ms: Concurrently marked 128491KB [241784:0x55b72e1bccb0] 2155 ms: [IncrementalMarking] Complete (normal). RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2155 ms: [IncrementalMarking] Step in v8 256KB (386KB) in 0.1 [241784:0x55b72e1bccb0] 2155 ms: Concurrently marked 128491KB [241784:0x55b72e1bccb0] 2156 ms: [IncrementalMarking] Stopping: old generation 173MB, limit 133MB, overshoot 40MB [241784:0x55b72e1bccb0] 2156 ms: [IncrementalMarking] Black allocation finished RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2174 ms: Mark-sweep 182.1 (380.3) -> 178.6 (375.8) MB, 19.1 / 0.0 ms (+ 64.6 ms in 145 steps since start of marking, biggest step 34.4 ms, walltime since start of marking 235 ms) finalize incremental marking via stack guard GC in old space requested PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2197 ms: Scavenge 187.0 (375.8) -> 183.4 (383.3) MB, 21.6 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2218 ms: Scavenge 190.7 (383.3) -> 186.6 (391.8) MB, 20.5 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2237 ms: Scavenge 195.0 (391.8) -> 191.4 (399.3) MB, 18.5 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2256 ms: Scavenge 198.7 (399.3) -> 194.6 (407.8) MB, 17.8 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2273 ms: Scavenge 203.0 (407.8) -> 199.4 (415.3) MB, 16.7 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2290 ms: Scavenge 206.7 (415.3) -> 202.6 (423.8) MB, 16.6 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2306 ms: Scavenge 211.0 (423.8) -> 207.4 (431.3) MB, 15.7 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2322 ms: Scavenge 214.7 (431.3) -> 210.6 (440.3) MB, 15.6 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2338 ms: Scavenge 219.0 (440.3) -> 215.4 (447.8) MB, 15.2 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2354 ms: Scavenge 222.7 (447.8) -> 218.6 (456.3) MB, 15.0 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2369 ms: Scavenge 227.0 (456.3) -> 223.4 (463.8) MB, 14.5 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2383 ms: Scavenge 230.7 (463.8) -> 226.6 (472.3) MB, 14.2 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2398 ms: Scavenge 235.0 (472.3) -> 231.4 (479.8) MB, 13.6 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2412 ms: Scavenge 238.7 (479.8) -> 234.6 (488.3) MB, 13.8 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2426 ms: Scavenge 243.0 (488.3) -> 239.4 (495.8) MB, 13.6 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2440 ms: Scavenge 246.8 (495.8) -> 242.6 (504.3) MB, 13.6 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2454 ms: Scavenge 251.0 (504.3) -> 247.4 (511.8) MB, 13.1 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2468 ms: Scavenge 254.8 (511.8) -> 250.6 (520.3) MB, 13.7 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2481 ms: Scavenge 259.0 (520.3) -> 255.4 (527.8) MB, 12.7 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2494 ms: Scavenge 262.8 (527.8) -> 258.6 (536.3) MB, 12.8 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2507 ms: Scavenge 267.0 (536.3) -> 263.4 (543.8) MB, 12.5 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2520 ms: Scavenge 270.8 (543.8) -> 266.6 (552.3) MB, 12.5 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2533 ms: Scavenge 275.0 (552.3) -> 271.4 (559.8) MB, 12.6 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2546 ms: Scavenge 278.8 (559.8) -> 274.6 (568.3) MB, 12.5 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2559 ms: Scavenge 283.0 (568.3) -> 279.4 (575.8) MB, 12.3 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2572 ms: Scavenge 286.8 (575.8) -> 282.7 (584.3) MB, 12.8 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2586 ms: Scavenge 291.0 (584.3) -> 287.4 (591.8) MB, 12.7 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2599 ms: Scavenge 294.8 (591.8) -> 290.7 (600.3) MB, 13.0 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2613 ms: Scavenge 299.0 (600.3) -> 295.4 (607.8) MB, 13.0 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2626 ms: Scavenge 302.8 (607.8) -> 298.7 (616.3) MB, 12.9 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2639 ms: Scavenge 307.0 (616.3) -> 303.4 (623.8) MB, 13.0 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2653 ms: Scavenge 310.8 (623.8) -> 306.7 (632.3) MB, 12.9 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2666 ms: Scavenge 315.0 (632.3) -> 311.4 (639.8) MB, 13.2 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2680 ms: Scavenge 318.8 (639.8) -> 314.7 (648.3) MB, 13.4 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2694 ms: Scavenge 323.0 (648.3) -> 319.4 (656.3) MB, 12.6 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2707 ms: Scavenge 326.8 (656.3) -> 322.7 (664.8) MB, 13.1 / 0.0 ms allocation failure PauseScope RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2720 ms: Scavenge 331.0 (664.8) -> 327.4 (672.3) MB, 12.4 / 0.0 ms allocation failure RescheduleTAsksIFNeeded [241784:0x55b72e1bccb0] 2780 ms: Scheduling concurrent marking task 1 [241784:0x55b72e1bccb0] 2780 ms: Scheduling concurrent marking task 2 [241784:0x55b72e1bccb0] 2780 ms: Starting concurrent marking task 1 [241784:0x55b72e1bccb0] 2780 ms: Starting concurrent marking task 2 [241784:0x55b72e1bccb0] 2780 ms: Scheduling concurrent marking task 3 [241784:0x55b72e1bccb0] 2780 ms: Scheduling concurrent marking task 4 [241784:0x55b72e1bccb0] 2780 ms: Starting concurrent marking task 3 [New Thread 0x7f1588726700 (LWP 241785)] [New Thread 0x7f1584f1f700 (LWP 241792)] [New Thread 0x7f1585f21700 (LWP 241790)] [New Thread 0x7f1586722700 (LWP 241789)] [New Thread 0x7f1587724700 (LWP 241787)] [New Thread 0x7f1587f25700 (LWP 241786)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f1588726700 (LWP 241785)] 0x000055b72d8dae73 in v8::internal::ConcurrentMarking::Run(int, v8::internal::ConcurrentMarking::TaskState*) () (gdb)
,
Feb 20 2018
Concurrent marking tasks get suddenly scheduled but marking completed before. This is strange. This would suggest that https://cs.chromium.org/chromium/src/v8/src/heap/concurrent-marking.cc?type=cs&q=rescheduletasksifneeded&sq=package:chromium&l=554 is not empty?
,
Feb 21 2018
This is really strange. Maybe one path in write barrier is pushing to the worklist even though the marking is not in progress?
,
Feb 21 2018
Re #16: I think these concurrent marking tasks are scheduled as part of parallel marking in Mark-Compact pause:
* frame #0: 0x0000000100cd09ee libv8.dylib`v8::internal::ConcurrentMarking::ScheduleTasks(this=0x0000000103d0f710) at concurrent-marking.cc:503
frame #1: 0x0000000100cd1103 libv8.dylib`v8::internal::ConcurrentMarking::RescheduleTasksIfNeeded(this=0x0000000103d0f710) at concurrent-marking.cc:543
frame #2: 0x0000000100d7887a libv8.dylib`v8::internal::MarkCompactCollector::MarkLiveObjects(this=0x000000010406fa00) at mark-compact.cc:2359
frame #3: 0x0000000100d77c18 libv8.dylib`v8::internal::MarkCompactCollector::CollectGarbage(this=0x000000010406fa00) at mark-compact.cc:547
frame #4: 0x0000000100cf833e libv8.dylib`v8::internal::Heap::MarkCompact(this=0x000000010402ec20) at heap.cc:1775
frame #5: 0x0000000100cf4c60 libv8.dylib`v8::internal::Heap::PerformGarbageCollection(this=0x000000010402ec20, collector=MARK_COMPACTOR, gc_callback_flags=kNoGCCallbackFlags) at heap.cc:1639
,
May 3 2018
Setting some labels for posterity. Thanks.
,
May 29 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Feb 19 2018Owner: gab@chromium.org
Status: Assigned (was: Untriaged)