New issue
Advanced search Search tips

Issue 858914 link

Starred by 3 users
Status: Verified
Owner:
ahaas@chromium.org
Closed: Jul 7
Cc:
clemensh@chromium.org
adamk@chromium.org
titzer@chromium.org
dschuff@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Timeout in v8_wasm_async_fuzzer

Project Member Reported by ClusterFuzz, Jun 29 2018 
Detailed report: https://clusterfuzz.com/testcase?key=4855026623971328

Fuzzer: libFuzzer_v8_wasm_async_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  v8_wasm_async_fuzzer
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=480821:480902

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4855026623971328

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

Comment 1 by kkaluri@chromium.org, Jun 29 2018

Components: Blink>JavaScript

Comment 2 by clemensh@chromium.org, Jul 4

Cc: clemensh@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>WebAssembly
Owner: ahaas@chromium.org
Status: Assigned (was: Untriaged)
Project Member

Comment 3 by bugdroid1@chromium.org, Jul 5 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/df41fa7a8acefaf9eb16d5407e5abd692966b3f0

commit df41fa7a8acefaf9eb16d5407e5abd692966b3f0
Author: Andreas Haas <ahaas@chromium.org>
Date: Thu Jul 05 10:35:48 2018

[wasm][fuzzer] Do not execute modules with start function

In the WebAssembly fuzzers we detect infinite loops with the
interpreter: if the interpreter does not finish after a finite number
of steps, we do not execute the compiled code. However, we cannot
redirect the start function to the interpreter in the fuzzer, and
therefore we cannot detect infinite loops in the start function. With
this CL we avoid the problem completely by not instantiating a module
in the fuzzer which has a start function. Note that the module still
gets compiled.

R=clemensh@chromium.org

Bug:  chromium:858914 
Change-Id: Icbbe9a003544918d5267cdd1d9405b21bb681133
Reviewed-on: https://chromium-review.googlesource.com/1126766
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54246}
[modify] https://crrev.com/df41fa7a8acefaf9eb16d5407e5abd692966b3f0/test/fuzzer/wasm-fuzzer-common.cc
Project Member

Comment 4 by ClusterFuzz, Jul 7 

ClusterFuzz has detected this issue as fixed in range 572608:573019.

Detailed report: https://clusterfuzz.com/testcase?key=4855026623971328

Fuzzer: libFuzzer_v8_wasm_async_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  v8_wasm_async_fuzzer
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=480821:480902
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=572608:573019

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4855026623971328

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Jul 7

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4855026623971328 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment