New issue
Advanced search Search tips

Issue 851886 link

Starred by 1 user
Status: Fixed
Owner:
sigurds@chromium.org
Closed: Jun 2018
Cc:
bmeu...@chromium.org
jgruber@chromium.org
u...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

ASan failure in JSCallReducerTest.PromiseConstructorWithHook

Project Member Reported by sdefresne@chromium.org, Jun 12 2018 
I compiled Chrome on Linux with the following settings:

enable_nacl = false
symbol_level = 2
is_component_build = true
is_asan = true
is_debug = false
dcheck_always_on = true

When running unittests, I get the following ASan failure:

[ RUN      ] JSCallReducerTest.PromiseConstructorWithHook
=================================================================
==259720==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000243340 at pc 0x7f04eaf8884f bp 0x7ffe48831450 sp 0x7ffe48831448
WRITE of size 1 at 0x619000243340 thread T0
    #0 0x7f04eaf8884e  (./src/out/Default/./libv8_for_testing.so+0x222a84e)
    #1 0x7f04eafad433  (./src/out/Default/./libv8_for_testing.so+0x224f433)
    #2 0x7f04eadb204d  (./src/out/Default/./libv8_for_testing.so+0x205404d)
    #3 0x559e22aa37d5  (./src/out/Default/unittests+0x118b7d5)
    #4 0x559e23a2e792  (./src/out/Default/unittests+0x2116792)
    #5 0x559e23a30764  (./src/out/Default/unittests+0x2118764)
    #6 0x559e23a31a56  (./src/out/Default/unittests+0x2119a56)
    #7 0x559e23a57636  (./src/out/Default/unittests+0x213f636)
    #8 0x559e23a56862  (./src/out/Default/unittests+0x213e862)
    #9 0x559e233a2f0d  (./src/out/Default/unittests+0x1a8af0d)
    #10 0x7f04e614a2b0  (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

0x619000243340 is located 448 bytes inside of 904-byte region [0x619000243180,0x619000243508)
freed by thread T0 here:
    #0 0x559e224e4ca2  (./src/out/Default/unittests+0xbccca2)
    #1 0x559e23a308c2  (./src/out/Default/unittests+0x21188c2)
    #2 0x559e23a31a56  (./src/out/Default/unittests+0x2119a56)
    #3 0x559e23a57636  (./src/out/Default/unittests+0x213f636)
    #4 0x559e23a56862  (./src/out/Default/unittests+0x213e862)
    #5 0x559e233a2f0d  (./src/out/Default/unittests+0x1a8af0d)
    #6 0x7f04e614a2b0  (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

previously allocated by thread T0 here:
    #0 0x559e224e4062  (./src/out/Default/unittests+0xbcc062)
    #1 0x559e22ac5e3f  (./src/out/Default/unittests+0x11ade3f)
    #2 0x559e23a30670  (./src/out/Default/unittests+0x2118670)
    #3 0x559e23a31a56  (./src/out/Default/unittests+0x2119a56)
    #4 0x559e23a57636  (./src/out/Default/unittests+0x213f636)
    #5 0x559e23a56862  (./src/out/Default/unittests+0x213e862)
    #6 0x559e233a2f0d  (./src/out/Default/unittests+0x1a8af0d)
    #7 0x7f04e614a2b0  (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-use-after-free (./src/out/Default/./libv8_for_testing.so+0x222a84e) 
Shadow bytes around the buggy address:
  0x0c3280040610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280040620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280040630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3280040640: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3280040650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3280040660: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c3280040670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3280040680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3280040690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c32800406a0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32800406b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==259720==ABORTING

Revision: a0db4ef29e70403f5d65dd088df46af2f5a34cea

Comment 1 by sdefresne@chromium.org, Jun 12 2018

Labels: OS-Linux

Comment 2 by hablich@chromium.org, Jun 21 2018

Cc: bmeu...@chromium.org u...@chromium.org jgruber@chromium.org
Status: Available (was: Untriaged)

Comment 3 by bmeu...@chromium.org, Jun 21 2018

Owner: sigurds@chromium.org
Status: Assigned (was: Available)

Comment 4 by sigurds@chromium.org, Jun 25 2018 

I can't reproduce on ToT. More curiously, our ASAN bot is running this test:

Done running unittests/JSCallReducerTest.PromiseConstructorWithHook: pass

I also tries to reproduce with the revision you gave, but could not. Your revision is a chromium revision, which uses v8 tag 6.9.119 (27bacf89077dde85c627cc83accc3ac3f018e16d).

I tried reproducing on both x64 and x86.

Are you able to reproduce this reliably? Which compiler do you use?

Comment 5 by sigurds@chromium.org, Jun 25 2018 

I just ran 2000 instances of the test in parallel and got the crash. Might be a concurrency issue. Thanks for reporting!

Comment 7 by sigurds@chromium.org, Jun 25 2018

Status: Fixed (was: Assigned)
https://chromium.googlesource.com/v8/v8/+/395d1e574e8432b045bfc5f92b2b090019203601

Since this is a test-only issue, no back-merge is needed.

Comment 8 by sdefresne@chromium.org, Jun 25 2018 

Thank you for the quick fix :-)

Sign in to add a comment