New issue
Advanced search Search tips

Issue 860392 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jul 6
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

DCHECK failure in pc == code->instruction_start() in wasm-code-manager.cc

Project Member Reported by ClusterFuzz, Jul 5

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6739159914643456

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  pc == code->instruction_start() in wasm-code-manager.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=53828:53829

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6739159914643456

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jul 5

Labels: Test-Predator-Auto-Owner
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/5f56641b41ede6967cb1e2053df7bb338d55f275 (Reland "[wasm] Introduce jump table").

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 5

Labels: Pri-1
Cc: ahaas@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>WebAssembly
Status: Started (was: Assigned)
https://crrev.com/c/1127671
Project Member

Comment 4 by bugdroid1@chromium.org, Jul 6

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4174a68e84c51d6bdec78d05be938d69da4d8b18

commit 4174a68e84c51d6bdec78d05be938d69da4d8b18
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Fri Jul 06 11:22:01 2018

[wasm] Fix importing exported function in interpreter

When calling an import which is an exported wasm function, the
interpreter needs to look through the jump table to find the
actual code object.
We already had that logic for indirect calls, but it was missing for
imported calls.

R=ahaas@chromium.org

Bug:  chromium:860392 
Change-Id: I6b5a0192f79c23cb1de55407fe93f6df9a17235a
Reviewed-on: https://chromium-review.googlesource.com/1127671
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54291}
[modify] https://crrev.com/4174a68e84c51d6bdec78d05be938d69da4d8b18/src/wasm/wasm-interpreter.cc
[modify] https://crrev.com/4174a68e84c51d6bdec78d05be938d69da4d8b18/test/mjsunit/wasm/interpreter.js

Status: Fixed (was: Started)
Project Member

Comment 6 by sheriffbot@chromium.org, Jul 6

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 7 by ClusterFuzz, Jul 7

ClusterFuzz has detected this issue as fixed in range 54290:54291.

Detailed report: https://clusterfuzz.com/testcase?key=6739159914643456

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  pc == code->instruction_start() in wasm-code-manager.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=53828:53829
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=54290:54291

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6739159914643456

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Jul 7

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6739159914643456 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 12

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment