New issue
Advanced search Search tips

Issue 900535 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Nov 22
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Null-dereference READ in v8::internal::Isolate::wasm_module_constructor

Project Member Reported by ClusterFuzz, Oct 31

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4679922529075200

Fuzzer: mbarbella_js_mutation
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000027
Crash State:
  v8::internal::Isolate::wasm_module_constructor
  v8::internal::WasmModuleObject::New
  v8::internal::WasmModuleObject::New
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=56592:56593

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4679922529075200

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Cc: ishell@chromium.org verwa...@chromium.org
Owner: rmcilroy@chromium.org
Status: Assigned (was: Untriaged)
CF points to 85b7f1cd91a7b3c295d0ccef3efa7e4fb84694aa. PTAL
Cc: mstarzinger@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>WebAssembly
Michi: This is related to the access to the native context in WasmModuleObject::New() when finalizing an asm.js module. The compiler dispatcher can finalize compilation in an idle task with no native context entered, and as such we see this crash when trying to finalize the native context.

Is there any way we can avoid WasmModuleObject a context dependent JS object, or make it happen later (e.g., during module instantiation)?
Labels: -Pri-1 Pri-2
Only reproducable with non-shipping flags, so reducing priority
Project Member

Comment 4 by bugdroid1@chromium.org, Nov 21

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ccd8073c7b196fa6e94483657dbbd1913687ffa9

commit ccd8073c7b196fa6e94483657dbbd1913687ffa9
Author: Ross McIlroy <rmcilroy@chromium.org>
Date: Wed Nov 21 22:06:39 2018

[AsmJs] Avoid allocation of WasmModuleObject until instantiation.

Moves allocation of the WasmModuleObject for asm.js code out of SyncCompileTranslatedAsmJS
since that is called when we are compiling the native context independent SharedFunctionInfo
and the WasmModuleObject requires a native context. Instead save the members required to
create the object in the AsmWasmData and create it during module instantiation. Note:
since the Wasm module is an implementation detail for asm_wasm code and isn't exposed,
this doeesn't have semantic change for asm.js code.

As part of this change, the AsmWasmData is changed from a FixedArray to a dedicated
struct. Some logic is also moved from module-compiler to wasm-engine to make the
seperation between Wasm SyncCompile and AsmJS SyncCompile more clear.

BUG= chromium:900535 ,v8:8395

Change-Id: Ia48469c095b0688f210aa86e7430c9ab4ea4b26b
Reviewed-on: https://chromium-review.googlesource.com/c/1345509
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57704}
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/asmjs/asm-js.cc
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/asmjs/asm-js.h
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/code-stub-assembler.cc
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/compiler/code-assembler.h
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/compiler/types.cc
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/objects-debug.cc
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/objects-definitions.h
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/objects-printer.cc
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/objects.cc
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/objects.h
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/objects/shared-function-info-inl.h
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/objects/shared-function-info.h
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/runtime/runtime-compiler.cc
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/unoptimized-compilation-info.h
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/wasm/module-compiler.cc
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/wasm/module-compiler.h
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/wasm/wasm-engine.cc
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/wasm/wasm-engine.h
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/wasm/wasm-objects-inl.h
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/wasm/wasm-objects.cc
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/wasm/wasm-objects.h
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/src/wasm/wasm-serialization.cc
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/test/common/wasm/wasm-module-runner.cc
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/test/mjsunit/parallel-compile-tasks.js
[modify] https://crrev.com/ccd8073c7b196fa6e94483657dbbd1913687ffa9/tools/v8heapconst.py

Project Member

Comment 5 by ClusterFuzz, Nov 22

ClusterFuzz has detected this issue as fixed in range 57703:57704.

Detailed report: https://clusterfuzz.com/testcase?key=4679922529075200

Fuzzer: mbarbella_js_mutation
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000027
Crash State:
  v8::internal::Isolate::wasm_module_constructor
  v8::internal::WasmModuleObject::New
  v8::internal::WasmModuleObject::New
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=56592:56593
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=57703:57704

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4679922529075200

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Nov 22

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4679922529075200 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment