New issue
Advanced search Search tips

Issue 823069 link

Starred by 4 users

Issue metadata

Status: Verified
Owner:
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

V8 correctness failure in configs: x64,ignition:x64,slow_path_opt

Project Member Reported by ClusterFuzz, Mar 17 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4719525334089728

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,slow_path_opt
  sources: 336
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50381:50382

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4719525334089728

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Mar 17 2018

Labels: Test-Predator-Auto-Owner
Owner: machenb...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/0ac7a48ae8c6dbfd1dd4c9e6d5cd4b1a8bd72fe1 ([foozzie] Add slow-path correctness fuzzing variants).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
// Reduced repro:
var v = [];
Object.defineProperty(v, "length", {value: 3, writable: false});
function foo(b) { return b.pop(); }
foo(v);

// Output:
# Compared x64,ignition with x64,slow_path
#
# Flags of x64,ignition:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1002378131 --turbo-filter=~ --noopt --suppress-asm-messages
# Flags of x64,slow_path:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1002378131 --force-slow-path --suppress-asm-messages
#
# Difference:
+ /usr/local/google/home/machenbach/v8/v8/repro.js:3: TypeError: Cannot assign to read only property 'length' of object '[object Array]'
#
# Source file:
none
#
### Start of configuration x64,ignition:

### End of configuration x64,ignition
#
### Start of configuration x64,slow_path:
/usr/local/google/home/machenbach/v8/v8/repro.js:3: TypeError: Cannot assign to read only property 'length' of object '[object Array]'
function foo(b) { return b.pop(); }
                           ^



### End of configuration x64,slow_path

Components: -Blink>JavaScript Blink>JavaScript>Runtime
Owner: ----
Status: Available (was: Assigned)
Cc: ishell@chromium.org verwa...@chromium.org cbruni@chromium.org jgruber@chromium.org
The Array.p.pop logic is pretty funky.. It's implemented in CSA, but can fall back to a CPP builtin. The CPP builtin can fall back to JS. In the case triggered above, that's what happens when --force-slow-path is passed. In JS, the attempted write to .length triggers the exception. 

The bug appears to be that 
 
    EnsureArrayLengthWritable(LoadMap(array_receiver), &runtime);

doesn't realize length is non-writable. Or, conversely, that StaNamedProperty throws when it shouldn't, I'm not sure. 

Interestingly, direct writes to length don't throw but ignore the attempted write instead:

 d8> var v = [];
 d8> Object.defineProperty(v, "length", {value: 3, writable: false});
 d8> v.length
 3
 d8> v.length = 42
 d8> v.length
 3

Cc: jkummerow@chromium.org
Cc: machenb...@chromium.org
 Issue 830143  has been merged into this issue.
Any news here? Is this a P1?
Labels: -Pri-1 Pri-2
I'd say P2 since the issue is that the exception is not thrown. No other news.
Owner: ishell@chromium.org
Status: Assigned (was: Available)
I'll take a look.
Status: Fixed (was: Assigned)
Project Member

Comment 12 by ClusterFuzz, Apr 11 2018

ClusterFuzz has detected this issue as fixed in range 52507:52508.

Detailed report: https://clusterfuzz.com/testcase?key=4719525334089728

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,slow_path_opt
  sources: 336
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50381:50382
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=52507:52508

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4719525334089728

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by ClusterFuzz, Apr 11 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 4719525334089728 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment