New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 10 users

Issue metadata

Status: Fixed
Owner:
Closed: May 14
Cc:
Components:
HW: ----
NextAction: ----
OS: ----
Priority: 1
Type: Bug



Sign in to add a comment

hitting int3 in optimized code

Project Member Reported by neis@chromium.org, May 8 Back to list

Issue description

When browsing https://scannorthcounty.net/wxssgauges.php for a while. Probably a DeadValue or Unreachable node. Will investigate more tomorrow.

   0x1525a99fb0bb:      enter  0x168,0x0
   0x1525a99fb0bf:      add    BYTE PTR [rax-0x75],cl
   0x1525a99fb0c2:      jge    0x1525a99fb094
   0x1525a99fb0c4:      sub    edi,eax
   0x1525a99fb0c6:      mov    rax,QWORD PTR [rbp+0x10]
   0x1525a99fb0ca:      movabs r8,0x258ba23a1999
   0x1525a99fb0d4:      cmp    QWORD PTR [rax-0x1],r8
   0x1525a99fb0d8:      jne    0x1525a99fb65a
   0x1525a99fb0de:      movabs rbx,0x9c036f34631
   0x1525a99fb0e8:      mov    rsi,QWORD PTR [rbx+0x1f]
   0x1525a99fb0ec:      push   rax
   0x1525a99fb0ed:      movabs rbx,0x37fdc144cd9
   0x1525a99fb0f7:      push   rbx
   0x1525a99fb0f8:      push   0x0
   0x1525a99fb0fa:      mov    QWORD PTR [rbp-0x30],rdi
   0x1525a99fb0fe:      mov    rbx,QWORD PTR [r13-0x60]
   0x1525a99fb102:      mov    rcx,rax
   0x1525a99fb105:      movabs rdx,0x7f3f43c6c5d0
   0x1525a99fb10f:      call   0x1525a9a7c7e0
   0x1525a99fb114:      movabs rdi,0x258ba23a1999
   0x1525a99fb11e:      mov    rax,QWORD PTR [rbp+0x10]
   0x1525a99fb122:      cmp    QWORD PTR [rax-0x1],rdi
   0x1525a99fb126:      jne    0x1525a99fb664
   0x1525a99fb12c:      movabs rbx,0x9c036f34551
   0x1525a99fb136:      mov    rsi,QWORD PTR [rbx+0x1f]
   0x1525a99fb13a:      push   rax
   0x1525a99fb13b:      movabs rbx,0x37fdc144cc9
   0x1525a99fb145:      push   rbx
   0x1525a99fb146:      movabs rdx,0x7f3f43c6c270
   0x1525a99fb150:      mov    rbx,QWORD PTR [r13-0x60]
   0x1525a99fb154:      mov    rcx,rax
   0x1525a99fb157:      call   0x1525a990d580
   0x1525a99fb15c:      movabs rdi,0x258ba23a1999
   0x1525a99fb166:      mov    rax,QWORD PTR [rbp+0x10]
   0x1525a99fb16a:      cmp    QWORD PTR [rax-0x1],rdi
   0x1525a99fb16e:      jne    0x1525a99fb66e
   0x1525a99fb174:      push   rax
   0x1525a99fb175:      push   QWORD PTR [rbp-0x20]
   0x1525a99fb178:      movabs rdx,0x7f3f43c6af80
   0x1525a99fb182:      movabs rsi,0x8898ea84609
   0x1525a99fb18c:      mov    rbx,QWORD PTR [r13-0x60]
   0x1525a99fb190:      mov    rcx,rax
   0x1525a99fb193:      call   0x1525a990d580
   0x1525a99fb198:      movabs rbx,0x258ba23a1999
   0x1525a99fb1a2:      mov    rax,QWORD PTR [rbp+0x10]
   0x1525a99fb1a6:      cmp    QWORD PTR [rax-0x1],rbx
   0x1525a99fb1aa:      jne    0x1525a99fb678
   0x1525a99fb1b0:      int3   
=> 0x1525a99fb1b1:      movabs rbx,0x7f3f4b688bd0
   0x1525a99fb1bb:      xor    eax,eax
   0x1525a99fb1bd:      mov    rsi,QWORD PTR [rbp-0x8]
   0x1525a99fb1c1:      call   0x1525a9905220
   0x1525a99fb1c6:      jmp    0x1525a99f99c6
   0x1525a99fb1cb:      mov    QWORD PTR [rbp-0x30],rbx
   0x1525a99fb1cf:      mov    edx,0x28
   0x1525a99fb1d4:      call   0x1525a991eda0
   0x1525a99fb1d9:      lea    rcx,[rax-0x1]
   0x1525a99fb1dd:      movabs rdx,0x292f7c2b08f1
   0x1525a99fb1e7:      mov    rax,QWORD PTR [rbp-0x20]



0x258ba23a1999: [Map]
 - type: JS_API_OBJECT_TYPE
 - instance size: 40
 - inobject properties: 0
 - elements kind: HOLEY_ELEMENTS
 - unused property fields: 0
 - enum length: invalid
 - stable_map
 - back pointer: 0x3f2ce58024b9 <undefined>
 - prototype_validity cell: 0x1a3cd0302331 <Cell value= 1>
 - instance descriptors (own) #0: 0x3f2ce58022e1 <DescriptorArray[2]>
 - layout descriptor: (nil)
 - prototype: 0x37fdc130251 <Object map = 0x258ba23b48c9>
 - constructor: 0x9c036f364d1 <JSFunction CanvasRenderingContext2D (sfi = 0x9c036f36461)>
 - dependent code: 0x130f13808e41 <FixedArray[3]>
 - construction counter: 0

 
I am the owner of scannorthcounty.net/wxssgauges.php and it is programmed to stop receiving data after a period of time, but could always be refreshed without a crash. It now crashes within a minute an sometimes takes other tabs down with it, but no always. Hope this additional info helps.
Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, May 14

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/fc36cacd17de7ba173d10c47127254ef7227568b

commit fc36cacd17de7ba173d10c47127254ef7227568b
Author: Georg Neis <neis@chromium.org>
Date: Mon May 14 10:16:22 2018

[compiler] Fix bug in representation changer.

We must not accept something of kBit representation as of
kWord32 representation (unless it's truncated accordingly).
Deopt instead.

Bug:  v8:7740 
Change-Id: Ib4f73600d66f8762a6e22f7ea1ce79e8ef451b34
Reviewed-on: https://chromium-review.googlesource.com/1054670
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53144}
[modify] https://crrev.com/fc36cacd17de7ba173d10c47127254ef7227568b/src/compiler/representation-change.cc
[modify] https://crrev.com/fc36cacd17de7ba173d10c47127254ef7227568b/src/compiler/representation-change.h
[add] https://crrev.com/fc36cacd17de7ba173d10c47127254ef7227568b/test/mjsunit/regress/regress-7740.js

Status: Fixed (was: Started)
Cc: pbomm...@chromium.org
Do we need to merge this back to 6.6 and 6.7?
As an affected end-user, yes please patch 6.6 & 6.7 ;)
Cc: jkummerow@chromium.org neis@chromium.org ahaas@chromium.org yangguo@chromium.org cbruni@chromium.org
 Issue chromium:839848  has been merged into this issue.
Issue chromium:840003 has been merged into this issue.
Cc: hablich@chromium.org
Labels: Merge-Request-6.7
@hablich: Please decide if we can merge this to M67.
The canary is only a few hours old and only available on Mac so far, I still want to wait with merging if possible.
Labels: -Merge-Request-6.7 Merge-Approved-6.7
Project Member

Comment 12 by bugdroid1@chromium.org, May 17

Labels: merge-merged-6.7
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2213bcb8fd096298c81ef7dd6080b37194d83b54

commit 2213bcb8fd096298c81ef7dd6080b37194d83b54
Author: Georg Neis <neis@chromium.org>
Date: Thu May 17 12:24:29 2018

Merged: [compiler] Fix bug in representation changer.

Revision: fc36cacd17de7ba173d10c47127254ef7227568b

BUG= v8:7740 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=hablich@chromium.org

Change-Id: I0c924f0c282dbd5402da341d21f77bb29404dc41
Reviewed-on: https://chromium-review.googlesource.com/1064058
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.7@{#71}
Cr-Branched-From: 8457e810efd34381448d51d93f50079cf1f6a812-refs/heads/6.7.288@{#2}
Cr-Branched-From: e921be5c4f2c6407936bde750992dedbf47c1016-refs/heads/master@{#52547}
[modify] https://crrev.com/2213bcb8fd096298c81ef7dd6080b37194d83b54/src/compiler/representation-change.cc
[modify] https://crrev.com/2213bcb8fd096298c81ef7dd6080b37194d83b54/src/compiler/representation-change.h
[add] https://crrev.com/2213bcb8fd096298c81ef7dd6080b37194d83b54/test/mjsunit/regress/regress-7740.js

Labels: -Merge-Approved-6.7
Project Member

Comment 14 by bugdroid1@chromium.org, May 17

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/3e113bba73bd9dd5130c2ec96b06111eae0354f0

commit 3e113bba73bd9dd5130c2ec96b06111eae0354f0
Author: Georg Neis <neis@chromium.org>
Date: Thu May 17 13:27:21 2018

Fix bad merge 2213bcb8fd096298c81ef7dd6080b37194d83b54.

TBR=jarin@chromium.org

LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

Bug:  v8:7740 
Change-Id: Ic0cd53713df46364ca741330dd1940cb0d301204
Reviewed-on: https://chromium-review.googlesource.com/1064069
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.7@{#73}
Cr-Branched-From: 8457e810efd34381448d51d93f50079cf1f6a812-refs/heads/6.7.288@{#2}
Cr-Branched-From: e921be5c4f2c6407936bde750992dedbf47c1016-refs/heads/master@{#52547}
[modify] https://crrev.com/3e113bba73bd9dd5130c2ec96b06111eae0354f0/src/compiler/representation-change.cc

This "Aw, Snap!" bug continues to plague my website, Dubtrack.FM despite being on the latest stable update (66.0.3359.181).

If it helps, here are a few Crash IDs: 
b0015c6f91c7a85a 
712e16fffaf6400d 
7d191e02a06d74d5 
cc089aef1c983624 
5915ff30a3a06be5 
8be290cf1b0152c1 
5b8a8003299dcd10 
Re #15, the fix has not been merged to 6.6. I am not sure it will be because it is not a security bug.
Right. I know before a few minor updates I had this issue on a few other sites. I would like to note that this bug has had a massive impact on my site and it's reputation as users think it's an issue with the site rather than the browser they're using. I appreciate that it may not be a security bug, but it's a bug that I'm sure is having a very big impact on other sites as well. I'm aware that my site may have code that is triggering this issue, so if your fix isn't going to be merged soon, could you maybe offer some guidance as to how we can fix it? Our error reporting system does not pick up on this crash, so we're stuck when it comes to finding out what code it could be.
Agree with comment #17. Still having the same issue with scannorthounty.net/wxssgauges.php and scannorthcounty.net/wxwdl.html

Using Version 66.0.3359.181 (Official Build) (64-bit) I have no idea how to install the patches mentioned in these threads.

Comment 19 by hablich@chromium.org, May 23 (4 days ago)

This will be on the first Chrome Stable 67 push. There are no 66 pushes planned anymore, so any merge to 6.6 wouldn't have any effect anyway.

Chrome 67 should go live next week according to https://www.chromium.org/developers/calendar.

Sign in to add a comment