V8 correctness failure in configs: x64,ignition:x64,ignition_turbo |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6259399984939008 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: 2e7 Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=57516:57517 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6259399984939008 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 15
Thanks! Can reproduce, even without switching to single-core. Will triage.
,
Nov 15
Still somewhat timing specific, but I managed to reduce it a little bit ...
var boom = function boom(value) {
if (typeof value == "object") {
Object.keys(value).map(function(key) { boom() }).join();
}
}
for (var i = 0; i < 3000; ++i) {
boom({x: undefined, y: undefined});
}
this.__defineGetter__("Object", ()=>0);
function delay() {
for (var i = 0; i < 100000; i++) { arguments[0] }
}
delay();
boom({});
,
Nov 15
Running the above without flags does not throw an exception, disabling TurboFan with --noopt will cause a TypeError to be thrown. Here are the two runs with some tracing ...
$ ./out/x64.debug/d8 ~/Downloads/clusterfuzz-testcase-minimized-6259399984939008-mod.js --trace-opt --trace-deopt
[marking 0x3e43418801a1 <JSFunction boom (sfi = 0x247199a00c9)> for optimized recompilation, reason: small function, ICs with typeinfo: 7/7 (100%), generic ICs: 0/7 (0%)]
[compiling method 0x3e43418801a1 <JSFunction boom (sfi = 0x247199a00c9)> using TurboFan]
[optimizing 0x3e43418801a1 <JSFunction boom (sfi = 0x247199a00c9)> - took 18.009, 20.130, 0.264 ms]
[completed optimizing 0x3e43418801a1 <JSFunction boom (sfi = 0x247199a00c9)>]
[marking 0x0247199a05e1 <JSFunction delay (sfi = 0x247199a0071)> for optimized recompilation, reason: small function, ICs with typeinfo: 3/3 (100%), generic ICs: 0/3 (0%)]
[compiling method 0x0247199a05e1 <JSFunction delay (sfi = 0x247199a0071)> using TurboFan OSR]
[optimizing 0x0247199a05e1 <JSFunction delay (sfi = 0x247199a0071)> - took 3.565, 7.304, 0.203 ms]
[deoptimizing (DEOPT eager): begin 0x3e43418801a1 <JSFunction boom (sfi = 0x247199a00c9)> (opt #0) @6, FP to SP delta: 72, caller sp: 0x7ffd6e5f7f48]
;;; deoptimize at </usr/local/google/home/mstarzinger/Downloads/clusterfuzz-testcase-minimized-6259399984939008-mod.js:3:53>, wrong map
reading input frame boom => bytecode_offset=53, args=2, height=6, retval=0(#0); inputs:
0: 0x3e43418801a1 ; [fp - 16] 0x3e43418801a1 <JSFunction boom (sfi = 0x247199a00c9)>
1: 0x3e43418801e1 ; [fp + 24] 0x3e43418801e1 <JSGlobal Object>
2: 0x3e43418dcf21 ; [fp + 16] 0x3e43418dcf21 <Object map = 0x342a3c080459>
3: captured object #0 (length = 7)
0x1d4efb800a39 ; (literal 2) 0x1d4efb800a39 <Map>
0x000500000000 ; (literal 3) 5
0x0247199a0a59 ; (literal 4) 0x0247199a0a59 <ScopeInfo FUNCTION_SCOPE [8]>
0x024719981de1 ; [fp - 24] 0x024719981de1 <NativeContext[249]>
0x1d4efb8005b9 ; (literal 5) 0x1d4efb8005b9 <the_hole>
0x024719981de1 ; (literal 6) 0x024719981de1 <NativeContext[249]>
0x3e43418801a1 ; [fp - 16] 0x3e43418801a1 <JSFunction boom (sfi = 0x247199a00c9)>
4: 0x1d4efb800e21 ; (literal 7) 0x1d4efb800e21 <Odd Oddball: optimized_out>
5: 0x1d4efb800e21 ; (literal 7) 0x1d4efb800e21 <Odd Oddball: optimized_out>
6: 0x3e43418dcf79 ; r9 0x3e43418dcf79 <JSArray[0]>
7: 0x1d4efb800e21 ; (literal 7) 0x1d4efb800e21 <Odd Oddball: optimized_out>
8: 0x1d4efb800e21 ; (literal 7) 0x1d4efb800e21 <Odd Oddball: optimized_out>
9: 0x1d4efb800e21 ; (literal 7) 0x1d4efb800e21 <Odd Oddball: optimized_out>
translating interpreted frame boom => bytecode_offset=53, height=48
0x7ffd6e5f7f40: [top + 104] <- 0x3e43418801e1 <JSGlobal Object> ; stack parameter (input #1)
0x7ffd6e5f7f38: [top + 96] <- 0x3e43418dcf21 <Object map = 0x342a3c080459> ; stack parameter (input #2)
-------------------------
0x7ffd6e5f7f30: [top + 88] <- 0x100f1548af8d ; caller's pc
0x7ffd6e5f7f28: [top + 80] <- 0x7ffd6e5f7f90 ; caller's fp
0x7ffd6e5f7f20: [top + 72] <- 0x1d4efb800c39 <Odd Oddball: arguments_marker> ; context (input #3)
0x7ffd6e5f7f18: [top + 64] <- 0x3e43418801a1 <JSFunction boom (sfi = 0x247199a00c9)> ; function (input #0)
0x7ffd6e5f7f10: [top + 56] <- 0x0247199a0b79 <BytecodeArray[65]> ; bytecode array
0x7ffd6e5f7f08: [top + 48] <- 0x006e00000000 <Smi 110> ; bytecode offset
-------------------------
0x7ffd6e5f7f00: [top + 40] <- 0x1d4efb800e21 <Odd Oddball: optimized_out> ; stack parameter (input #4)
0x7ffd6e5f7ef8: [top + 32] <- 0x1d4efb800e21 <Odd Oddball: optimized_out> ; stack parameter (input #5)
0x7ffd6e5f7ef0: [top + 24] <- 0x3e43418dcf79 <JSArray[0]> ; stack parameter (input #6)
0x7ffd6e5f7ee8: [top + 16] <- 0x1d4efb800e21 <Odd Oddball: optimized_out> ; stack parameter (input #7)
0x7ffd6e5f7ee0: [top + 8] <- 0x1d4efb800e21 <Odd Oddball: optimized_out> ; stack parameter (input #8)
0x7ffd6e5f7ed8: [top + 0] <- 0x1d4efb800e21 <Odd Oddball: optimized_out> ; accumulator (input #9)
[deoptimizing (eager): end 0x3e43418801a1 <JSFunction boom (sfi = 0x247199a00c9)> @6 => node=53, pc=0x560c96526f60, caller sp=0x7ffd6e5f7f48, took 0.402 ms]
Materialization [0x7ffd6e5f7f20] <- 0x0247199a19c1 ; 0x0247199a19c1 <FunctionContext[5]>
$ ./out/x64.debug/d8 ~/Downloads/clusterfuzz-testcase-minimized-6259399984939008-mod.js --allow-natives-syntax --trace-opt --trace-deopt --noopt
/usr/local/google/home/mstarzinger/Downloads/clusterfuzz-testcase-minimized-6259399984939008-mod.js:3: TypeError: Object.keys is not a function
Object.keys(value).map(function(key) { boom() }).join();
^
TypeError: Object.keys is not a function
at boom (/usr/local/google/home/mstarzinger/Downloads/clusterfuzz-testcase-minimized-6259399984939008-mod.js:3:12)
at /usr/local/google/home/mstarzinger/Downloads/clusterfuzz-testcase-minimized-6259399984939008-mod.js:14:1
,
Nov 16
This is a bug in compilation dependencies for property cells. The invalidated property is encoded as kConstant with hole value. Since we only check PropertyCellType to ensure validity, we believe that invalidated property cell is still a valid constant.
,
Nov 19
ClusterFuzz has detected this issue as fixed in range 57589:57590. Detailed report: https://clusterfuzz.com/testcase?key=6259399984939008 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: 2e7 Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=57516:57517 Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=57589:57590 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6259399984939008 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 19
ClusterFuzz testcase 6259399984939008 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 19
,
Nov 19
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/7b7e61c1e630572515c41c150e81bc904f793b4b commit 7b7e61c1e630572515c41c150e81bc904f793b4b Author: Jaroslav Sevcik <jarin@chromium.org> Date: Mon Nov 19 10:24:42 2018 [turbofan] Fix property cell dependencies. Fail IsInvalid check if the property cell has been invalidated. Bug: chromium:905555 Change-Id: Ia0712b97bd6ba628936b74b3893ddb1c229ee686 Reviewed-on: https://chromium-review.googlesource.com/c/1339863 Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#57597} [modify] https://crrev.com/7b7e61c1e630572515c41c150e81bc904f793b4b/src/compiler/compilation-dependencies.cc [modify] https://crrev.com/7b7e61c1e630572515c41c150e81bc904f793b4b/src/compiler/js-native-context-specialization.cc [add] https://crrev.com/7b7e61c1e630572515c41c150e81bc904f793b4b/test/mjsunit/compiler/regress-905555-2.js [add] https://crrev.com/7b7e61c1e630572515c41c150e81bc904f793b4b/test/mjsunit/compiler/regress-905555.js
,
Nov 19
ClusterFuzz has detected this issue as fixed in range 57592:57593. Detailed report: https://clusterfuzz.com/testcase?key=6259399984939008 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: 2e7 Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=57516:57517 Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=57592:57593 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6259399984939008 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 19
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by machenb...@chromium.org
, Nov 15Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)