Issue metadata
Sign in to add a comment
|
Memory corruption in wasm module
Reported by
june901...@gmail.com,
Mar 21 2018
|
||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Steps to reproduce the problem:
1. run a poc.js in current v8 stable [6.5.254.41]
What is the expected behavior?
What went wrong?
I am not sure, but there might be the memory corruption when wasm code instantiates.
when I used '--no-wasm-jit-to-native' with poc, it normally worked.
Starting program: $ /v8/out/asan/d8 poc.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff3140700 (LWP 17365)]
[New Thread 0x7ffff1e36700 (LWP 17366)]
[New Thread 0x7ffff0b2c700 (LWP 17367)]
[New Thread 0x7fffef822700 (LWP 17368)]
[New Thread 0x7fffee518700 (LWP 17369)]
Thread 1 "d8" received signal SIGSEGV, Segmentation fault.
__memmove_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2389
2389 ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S: No such file or directory.
(gdb) bt
#0 __memmove_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2389
#1 0x0000555555ebe543 in __asan_memcpy ()
at /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23
#2 0x000055555745fb60 in AddOwnedCode () at ../../src/wasm/wasm-code-manager.cc:328
#3 0x00005555574644ca in CreateTrampolineTo () at ../../src/wasm/wasm-code-manager.cc:491
#4 0x0000555557466992 in CloneTrampolinesAndStubs ()
at ../../src/wasm/wasm-code-manager.cc:670
#5 0x0000555557469054 in Clone () at ../../src/wasm/wasm-code-manager.cc:896
#6 0x00005555574e729e in Clone () at ../../src/wasm/wasm-objects.cc:1342
#7 0x00005555573f6f30 in Build () at ../../src/wasm/module-compiler.cc:2282
#8 0x00005555573f4702 in SyncInstantiate () at ../../src/wasm/module-compiler.cc:577
#9 0x0000555555fc2e14 in InstantiateAsmWasm () at ../../src/asmjs/asm-js.cc:392
#10 0x00005555570bc350 in __RT_impl_Runtime_InstantiateAsmJs ()
at ../../src/runtime/runtime-compiler.cc:126
#11 Runtime_InstantiateAsmJs () at ../../src/runtime/runtime-compiler.cc:106
#12 0x00007e8c3b88431d in ?? ()
#13 0x00007e8c3b884261 in ?? ()
#14 0x00007fffffffda40 in ?? ()
#15 0x0000000000000006 in ?? ()
#16 0x00007fffffffdab0 in ?? ()
#17 0x00007e8c3b8948f3 in ?? ()
#18 0x00007ead53d822e1 in ?? ()
#19 0x00007ead53d822e1 in ?? ()
#20 0x00007ead53d822e1 in ?? ()
#21 0x00007ef77db29e71 in ?? ()
#22 0x00007ef77db29e71 in ?? ()
#23 0x00007ef77db29e71 in ?? ()
#24 0x0000000000000000 in ?? ()
Did this work before? N/A
Chrome version: 65.0.3325.181 Channel: stable
OS Version: 10.0
Flash Version:
,
Jun 28 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Mar 21 2018Status: Duplicate (was: Unconfirmed)