New issue
Advanced search Search tips

Issue 863198 link

Starred by 2 users
Status: Duplicate
Merged: issue v8:7872
Owner:
ahaas@chromium.org
Closed: Jul 26
Cc:
kkaluri@chromium.org
clemensh@chromium.org
adamk@chromium.org
titzer@chromium.org
dschuff@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Out-of-memory in v8_wasm_async_fuzzer

Project Member Reported by ClusterFuzz, Jul 12 
Detailed report: https://clusterfuzz.com/testcase?key=4964967888191488

Fuzzer: libFuzzer_v8_wasm_async_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  v8_wasm_async_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=500406:500452

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4964967888191488

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

Comment 1 by kkaluri@chromium.org, Jul 13

Cc: kkaluri@chromium.org
Components: Blink>JavaScript
Labels: M-68 Test-Predator-Wrong CF-NeedsTriage
Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.

Thank You...
Project Member

Comment 2 by ClusterFuzz, Jul 13

Labels: OS-Mac

Comment 3 by clemensh@chromium.org, Jul 18

Cc: clemensh@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>WebAssembly
Owner: ahaas@chromium.org
Status: Assigned (was: Untriaged)
I am quite busy currently, otherwise I would check this myself.
Andreas, could you take a look?

Comment 4 by ahaas@chromium.org, Jul 26

Mergedinto: v8:7872
Status: Duplicate (was: Assigned)
Project Member

Comment 5 by bugdroid1@chromium.org, Jul 31 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/bfbaefd863d8fc0a748fe1a010692d351a94f163

commit bfbaefd863d8fc0a748fe1a010692d351a94f163
Author: Andreas Haas <ahaas@chromium.org>
Date: Tue Jul 31 11:08:46 2018

[wasm] Add estimate size for the WasmInterpreter

The lifetime of the WasmInterpreter is managed by the GC. However, we
did not tell the GC the amount of memory consumed by the interpreter.
Therefore it was possible to fill up memory with instances of the
interpreter without triggering a GC to free memory. With this CL we pass
the size of the stack as an estimate for the size of the interpreter. At
least in the fuzzer the stack is the dominating factor for memory
consumption.

R=clemensh@chromium.org

Bug:  chromium:863198 
Change-Id: Ic5cb0bd364500bcff793a1fd53d2d0113196dfe2
Reviewed-on: https://chromium-review.googlesource.com/1156385
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54810}
[modify] https://crrev.com/bfbaefd863d8fc0a748fe1a010692d351a94f163/src/wasm/wasm-debug.cc
Project Member

Comment 6 by ClusterFuzz, Aug 1 

ClusterFuzz has detected this issue as fixed in range 579426:579434.

Detailed report: https://clusterfuzz.com/testcase?key=4964967888191488

Fuzzer: libFuzzer_v8_wasm_async_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  v8_wasm_async_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=500406:500452
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=579426:579434

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4964967888191488

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment