New issue
Advanced search Search tips

Issue 900013 link

Starred by 1 user
Status: Verified
Owner:
ftang@chromium.org
Closed: Oct 31
Cc:
js...@chromium.org
gsat...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug



Sign in to add a comment

Unreachable code in builtins-internal.cc

Project Member Reported by ClusterFuzz, Oct 29 
Detailed report: https://clusterfuzz.com/testcase?key=5867481456181248

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: Unreachable code
Crash Address: 
Crash State:
  builtins-internal.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=57098:57099

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5867481456181248

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Oct 29

Labels: OS-Windows
Project Member

Comment 2 by ClusterFuzz, Oct 29

Labels: Test-Predator-Auto-Owner
Owner: ftang@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/7e51828e49c90f580e94ab393247a298e8319f20 ([Intl] Stage Intl.Segmenter).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by ftang@chromium.org, Oct 30 

+----------------------------------------Debug Build Stacktrace----------------------------------------+
#
# Fatal error in ../../src/builtins/builtins-internal.cc, line 15
# unreachable code
#
#
#
#FailureMessage Object: 0x7ffdd640b190
==== C stack trace ===============================
    /mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_d6e9ae17d55dc3e1212a801549fcd258e882a310/revisions/d8-linux-debug-v8-component-57100/./libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x13) [0x7f85967b21a3]
    /mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_d6e9ae17d55dc3e1212a801549fcd258e882a310/revisions/d8-linux-debug-v8-component-57100/./libv8_libplatform.so(+0x1051b) [0x7f859678451b]
    /mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_d6e9ae17d55dc3e1212a801549fcd258e882a310/revisions/d8-linux-debug-v8-component-57100/./libv8_libbase.so(V8_Fatal(char const*, int, char const*, ...)+0x148) [0x7f85967a90a8]
    /mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_d6e9ae17d55dc3e1212a801549fcd258e882a310/revisions/d8-linux-debug-v8-component-57100/./libv8.so(+0x848fee) [0x7f85952d5fee]
    /mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_d6e9ae17d55dc3e1212a801549fcd258e882a310/revisions/d8-linux-debug-v8-component-57100/./libv8.so(v8::internal::Builtin_Illegal(int, v8::internal::Object**, v8::internal::Isolate*)+0x6d) [0x7f85952d5e1d]
    /mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_d6e9ae17d55dc3e1212a801549fcd258e882a310/revisions/d8-linux-debug-v8-component-57100/./libv8.so(+0x17aaff2) [0x7f8596237ff2]

Comment 4 by ftang@chromium.org, Oct 30

Cc: js...@chromium.org gsat...@chromium.org
Notice Builtin_Illegal
I suspect it came from src/bootstrapper.cc

    // Setup SegmentIterator constructor.
    Handle<JSFunction> segment_iterator_fun = InstallFunction(
        isolate(), intl, "SegmentIterator", JS_INTL_SEGMENT_ITERATOR_TYPE,
        JSSegmentIterator::kSize, 0, prototype, Builtins::kIllegal);

Comment 5 by ftang@chromium.org, Oct 30 

It surely came from that line. I #if 0 out those line and it won't hit the UNREAHABLE. The question now is what I should I do to fix it?

Comment 6 by ftang@chromium.org, Oct 30

Status: Started (was: Assigned)
WiP https://chromium-review.googlesource.com/c/v8/v8/+/1306906
Project Member

Comment 7 by bugdroid1@chromium.org, Oct 30 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/78c053a5c1a8b2a85b26e7ee2b16e03211b2acd5

commit 78c053a5c1a8b2a85b26e7ee2b16e03211b2acd5
Author: Frank Tang <ftang@chromium.org>
Date: Tue Oct 30 16:32:54 2018

[Intl] Hide Intl["SegmentIterator"]

Fix the code incorrctly exposed Intl["SegmentIterator"] that caused
Unreachable code in builtins-internal.cc

Bug:  chromium:900013 
Change-Id: I50d457a9f065d597b3bbb77a7a45011335c959da
Reviewed-on: https://chromium-review.googlesource.com/c/1306906
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57140}
[modify] https://crrev.com/78c053a5c1a8b2a85b26e7ee2b16e03211b2acd5/src/bootstrapper.cc
[add] https://crrev.com/78c053a5c1a8b2a85b26e7ee2b16e03211b2acd5/test/intl/regress-900013.js
Project Member

Comment 8 by ClusterFuzz, Oct 31 

ClusterFuzz has detected this issue as fixed in range 57139:57140.

Detailed report: https://clusterfuzz.com/testcase?key=5867481456181248

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: Unreachable code
Crash Address: 
Crash State:
  builtins-internal.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=57098:57099
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=57139:57140

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5867481456181248

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Oct 31

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5867481456181248 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment