New issue
Advanced search Search tips

Issue 870646 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Aug 8
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Ill in v8::InstantiateBytesResultResolver::OnInstantiationFailed

Project Member Reported by ClusterFuzz, Aug 3

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6159163210858496

Fuzzer: inferno_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: Ill
Crash Address: 0x5605c4c9475e
Crash State:
  v8::InstantiateBytesResultResolver::OnInstantiationFailed
  v8::internal::wasm::WasmEngine::AsyncInstantiate
  v8::AsyncInstantiateCompileResultResolver::OnCompilationSucceeded
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=53346:53347

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6159163210858496

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Aug 3

Components: Blink>JavaScript>WebAssembly
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Aug 3

Labels: Test-Predator-Auto-Owner
Owner: ahaas@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/8a95da24150bee6b8b5d63e08f21af756bfe24c4 ([wasm] Reimplement WebAssembly.instantiate without desugaring).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 3 by bugdroid1@chromium.org, Aug 7

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5f105141d54d1268be9b8332c5e6bf8592d1ee84

commit 5f105141d54d1268be9b8332c5e6bf8592d1ee84
Author: Andreas Haas <ahaas@chromium.org>
Date: Tue Aug 07 10:44:12 2018

[wasm] During instantiation, pending_exceptions dominate new exceptions

For async instantiation of WebAssembly code we had the assumption that
a pending exceptions (an exception which comes from
execution JS code) and an ErrorThrower error cannot occur at the same
time. This assumption turned out to be wrong. With this CL we handle
this case by prefering pending_exceptions over ErrorThrower errors.

In addition I extended the tests for failing instantiation to also
exercise async instantiation, and I added a regression test.

R=clemensh@chromium.org

Bug:  chromium:870646 
Change-Id: I4cb54ff8642ad4ea193b20f79905c9f6508c2b2e
Reviewed-on: https://chromium-review.googlesource.com/1163511
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54940}
[modify] https://crrev.com/5f105141d54d1268be9b8332c5e6bf8592d1ee84/src/wasm/wasm-engine.cc
[modify] https://crrev.com/5f105141d54d1268be9b8332c5e6bf8592d1ee84/src/wasm/wasm-js.cc
[modify] https://crrev.com/5f105141d54d1268be9b8332c5e6bf8592d1ee84/test/mjsunit/wasm/ffi-error.js

Project Member

Comment 4 by ClusterFuzz, Aug 8

ClusterFuzz has detected this issue as fixed in range 54939:54940.

Detailed report: https://clusterfuzz.com/testcase?key=6159163210858496

Fuzzer: inferno_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: Ill
Crash Address: 0x5605c4c9475e
Crash State:
  v8::InstantiateBytesResultResolver::OnInstantiationFailed
  v8::internal::wasm::WasmEngine::AsyncInstantiate
  v8::AsyncInstantiateCompileResultResolver::OnCompilationSucceeded
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=53346:53347
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=54939:54940

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6159163210858496

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Aug 8

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6159163210858496 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment