control flow integrity check failure in V8 |
|||
Issue descriptionVarious tests are failing on Linux CFI as a result of the latest V8 autoroll; see https://ci.chromium.org/buildbot/chromium.memory/Linux%20CFI/6233: ../../v8/src/compiler/operator.h:215:10: runtime error: control flow integrity check for type 'v8::internal::compiler::Operator1<int, v8::internal::compiler::OpEqualTo<int>, v8::internal::compiler::OpHash<int> >' failed during cast to unrelated type (vtable address 0x00000094f4a0) 0x00000094f4a0: note: vtable is of type 'v8::internal::compiler::Operator1<v8::internal::compiler::IfValueParameters, v8::internal::compiler::OpEqualTo<v8::internal::compiler::IfValueParameters>, v8::internal::compiler::OpHash<v8::internal::compiler::IfValueParameters> >' 00 00 00 00 80 ec df 04 00 00 00 00 40 f1 df 04 00 00 00 00 70 f1 df 04 00 00 00 00 10 f2 df 04 ^ #0 0x4de4ce7 in int const& v8::internal::compiler::OpParameter<int>(v8::internal::compiler::Operator const*) ./../../v8/src/compiler/operator.h:216:9 #1 0x4f64a17 in v8::internal::compiler::Verifier::Visitor::Check(v8::internal::compiler::Node*, v8::internal::compiler::AllNodes const&) ./../../v8/src/compiler/verifier.cc:301:17 #2 0x4f66c2d in v8::internal::compiler::Verifier::Run(v8::internal::compiler::Graph*, v8::internal::compiler::Verifier::Typing, v8::internal::compiler::Verifier::CheckInputs, v8::internal::compiler::Verifier::CodeType) ./../../v8/src/compiler/verifier.cc:1719:44 #3 0x4ef363e in void v8::internal::compiler::PipelineImpl::Run<v8::internal::compiler::VerifyGraphPhase, bool>(bool) ./../../v8/src/compiler/pipeline.cc:1071:9 #4 0x4ef1a34 in v8::internal::compiler::PipelineImpl::OptimizeGraph(v8::internal::compiler::Linkage*) ./../../v8/src/compiler/pipeline.cc:1962:5 #5 0x4ef185f in v8::internal::compiler::PipelineCompilationJob::ExecuteJobImpl() ./../../v8/src/compiler/pipeline.cc:835:18 #6 0x4dae04b in v8::internal::CompilationJob::ExecuteJob() ./../../v8/src/compiler.cc:111:22 #7 0x4dabbbe in v8::internal::OptimizingCompileDispatcher::CompileNext(v8::internal::CompilationJob*) ./../../v8/src/compiler-dispatcher/optimizing-compile-dispatcher.cc:115:40 #8 0x4daca83 in v8::internal::OptimizingCompileDispatcher::CompileTask::RunInternal() ./../../v8/src/compiler-dispatcher/optimizing-compile-dispatcher.cc:67:20 #9 0x34b6754 in base::OnceCallback<void ()>::Run() && ./../../base/callback.h:95:12 #10 0x5797df7 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:61:33 #11 0x5829624 in base::internal::TaskTracker::RunOrSkipTask(base::internal::Task, base::internal::Sequence*, bool) ./../../base/task_scheduler/task_tracker.cc:460:23 #12 0x582b084 in base::internal::TaskTrackerPosix::RunOrSkipTask(base::internal::Task, base::internal::Sequence*, bool) ./../../base/task_scheduler/task_tracker_posix.cc:25:16 #13 0x5828a18 in base::internal::TaskTracker::RunAndPopNextTask(scoped_refptr<base::internal::Sequence>, base::internal::CanScheduleSequenceObserver*) ./../../base/task_scheduler/task_tracker.cc:353:3 #14 0x581fa73 in base::internal::SchedulerWorker::Thread::ThreadMain() ./../../base/task_scheduler/scheduler_worker.cc:85:41 #15 0x582ff73 in base::(anonymous namespace)::ThreadFunc(void*) ./../../base/threading/platform_thread_posix.cc:76:13 #16 0x7fd912dd8183 in start_thread /build/eglibc-ripdx6/eglibc-2.19/nptl/pthread_create.c:312:0 #17 0x7fd90d1c103c in clone /build/eglibc-ripdx6/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111:0 BrowserTestBase received signal: Terminated. Backtrace: #0 0x000005795d4c base::debug::StackTrace::StackTrace() #1 0x00000593cd83 content::(anonymous namespace)::DumpStackTraceSignalHandler() #2 0x7feb7637ecb0 <unknown> #3 0x7feb76438c9d __poll #4 0x7feb7b536fe4 <unknown> #5 0x7feb7b5370ec g_main_context_iteration #6 0x0000057c95d6 base::MessagePumpGlib::Run() #7 0x0000057c34e1 base::MessageLoop::Run() #8 0x0000057f8800 base::RunLoop::Run() #9 0x0000034ec308 dom_distiller::DomDistillerJsTest_RunJsTests_Test::RunTestOnMainThread() #10 0x00000593c894 content::BrowserTestBase::ProxyRunTestOnMainThreadLoop() #11 0x00000593d6c1 _ZN4base8internal7InvokerINS0_9BindStateIMN7content15BrowserTestBaseEFvvEJNS0_17UnretainedWrapperIS4_EEEEEFvvEE7RunImplIRKS6_RKNSt3__15tupleIJS8_EEEJLm0EEEEvOT_OT0_NSF_16integer_sequenceImJXspT1_EEEE #12 0x0000058e7822 content::ShellBrowserMainParts::PreMainMessageLoopRun() #13 0x0000042ca69b content::BrowserMainLoop::PreMainMessageLoopRun() #14 0x0000042ce4d1 _ZN4base8internal7InvokerINS0_9BindStateIMN7content15BrowserMainLoopEFivEJNS0_17UnretainedWrapperIS4_EEEEEFivEE7RunImplIRKS6_RKNSt3__15tupleIJS8_EEEJLm0EEEEiOT_OT0_NSF_16integer_sequenceImJXspT1_EEEE [0302/175330.609695:ERROR:kill_posix.cc(84)] Unable to terminate process group 5895: No such process (3) [0302/175401.133894:ERROR:kill_posix.cc(84)] Unable to terminate process group 5958: No such process (3) #15 0x0000048ea659 content::StartupTaskRunner::RunAllTasksNow() #16 0x0000042c905e content::BrowserMainLoop::CreateStartupTasks() #17 0x0000042cf33a content::BrowserMainRunnerImpl::Initialize() #18 0x000005926278 ShellBrowserMain() #19 0x000005924927 content::ShellMainDelegate::RunProcess() #20 0x0000056c8f43 content::RunNamedProcessTypeMain() #21 0x0000056ca672 content::ContentMainRunnerImpl::Run() #22 0x0000070917bc service_manager::Main() #23 0x0000056c1a44 content::ContentMain() #24 0x00000593c444 content::BrowserTestBase::SetUp() #25 0x0000058cff7f content::ContentBrowserTest::SetUp() #26 0x0000035a69bd testing::Test::Run() #27 0x0000035a70ee testing::TestInfo::Run() #28 0x0000035a7862 testing::TestCase::Run() #29 0x0000035ac2e3 testing::internal::UnitTestImpl::RunAllTests() #30 0x0000035abf7a testing::UnitTest::Run() #31 0x000005887457 base::TestSuite::Run() #32 0x0000059237dc content::ContentTestLauncherDelegate::RunTestSuite() #33 0x00000594870e content::LaunchTests() #34 0x000005923749 main #35 0x7feb76369f45 __libc_start_main #36 0x00000339102a _start
,
Mar 5 2018
It was the roll to 6.7.1 that broke things (r540691), not "the latest".
,
Mar 5 2018
Might have already been fixed on ToT, Sigurd agreed to take a look. Thanks!
,
Mar 5 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1808b6997fe1e50153125f054a6589863733b5bf commit 1808b6997fe1e50153125f054a6589863733b5bf Author: Greg Thompson <grt@chromium.org> Date: Mon Mar 05 13:25:22 2018 Roll V8 back to 6.6.346. 6.7.1 and newer are failing CFI builds. BUG= 818611 TBR=grt@chromium.org Change-Id: Ie0439da3fd330a8814daee9f3da3e2c412fbbf6f Reviewed-on: https://chromium-review.googlesource.com/948485 Reviewed-by: Greg Thompson <grt@chromium.org> Commit-Queue: Greg Thompson <grt@chromium.org> Cr-Commit-Position: refs/heads/master@{#540809} [modify] https://crrev.com/1808b6997fe1e50153125f054a6589863733b5bf/DEPS
,
Mar 5 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/efed5562cd6f7df88fe9dab23feac30106a123e7 commit efed5562cd6f7df88fe9dab23feac30106a123e7 Author: Sigurd Schneider <sigurds@chromium.org> Date: Mon Mar 05 13:35:21 2018 [turbofan] Fix undefined behavior in accessing operator parameters OpParameter<int32_t> was still used for an operator after the operators parameter changed from int32_t to a struct. Coincidentally, the first field of the struct holds the value previously stored in that int32_t, so correctness tests did not catch this. Bug: chromium:818611 , v8:7517 Change-Id: Ie46f084f7fa8117cd3493fc5ceafac11553dc55e Reviewed-on: https://chromium-review.googlesource.com/948546 Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#51728} [modify] https://crrev.com/efed5562cd6f7df88fe9dab23feac30106a123e7/src/compiler/verifier.cc
,
Mar 5 2018
Thanks for the update. I'll leave it to you folks to open up the autoroller again when you've got it sorted. Cheers.
,
Mar 5 2018
Sigurd, any idea why our V8 stand-alone cfi bot didn't catch this? Are we not covering this particular situation, or are we lacking some configuration?
,
Mar 5 2018
That is a good question! The bot that triggered this ran with dcheck_always_on = true goma_dir = "/b/c/goma_client" is_cfi = true is_component_build = false is_debug = false strip_absolute_paths_from_debug_symbols = true use_cfi_cast = true use_cfi_diag = true use_goma = true use_thin_lto = true while our bot runs with is_cfi = true is_component_build = false is_debug = false target_cpu = "x64" use_cfi_cast = true use_cfi_diag = true use_cfi_recover = false use_goma = true v8_enable_test_features = true v8_test_isolation_mode = "prepare" Additionally, it might be that we run without --turbo-verify? The access that triggered this assert failure is actually in the verifier; not sure if our bot runs that. Any code with a TurboFan-level switch should have triggered the assertion failure.
,
Mar 5 2018
Another idea would be to run our "V8 Linux64 UBSanVptr" with --turbo-verify, if that doesn't take too long (I guess it won't).
,
Mar 5 2018
FYI V8 6.7.11 has now rolled into Chromium. It has the fix mentioned in #5 in it.
,
Mar 5 2018
,
Mar 6 2018
,
Mar 6 2018
Hmm, so --turbo-verify is a V8 flag? Is it enabled when V8 is embedded in Chrome and not when it's stand-alone? Would be strange... |
|||
►
Sign in to add a comment |
|||
Comment 1 by grt@chromium.org
, Mar 5 2018