Issue 14297 in v8: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
10 views
Skip to first unread message
mache… via monorail
Sep 4, 2023, 2:54:12 PM9/4/23
to v8-re...@googlegroups.com
Status: Untriaged
Owner: ----
Labels: Hotlist-FlagFuzz
Components: GarbageCollection WebAssembly
Priority: 1
Type: Bug
New issue 14297 by mache...@chromium.org: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297
Failing test: mjsunit/wasm/wasm-to-js
Failure link: https://cr-buildbucket.appspot.com/build/8770886406492678177
Link to Flako run: https://ci.chromium.org/ui/p/v8/builders/try.triggered/v8_flako/b8770859525997178673/overview
Crash type: DCHECK failure
Crash state:
kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_)) in tagged-impl.h
Error summary:
#
# Fatal error in ../../src/objects/tagged-impl.h, line 144
# Debug check failed: kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_)).
#
#
#
#FailureMessage Object: 0x7ffddca83610
==== C stack trace ===============================
/b/s/w/ir/out/build/libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x13) [0x7f1235ee35a3]
/b/s/w/ir/out/build/libv8_libplatform.so(+0x19b7d) [0x7f12319f2b7d]
/b/s/w/ir/out/build/libv8_libbase.so(V8_Fatal(char const*, int, char const*, ...)+0x154) [0x7f1235ec3264]
/b/s/w/ir/out/build/libv8_libbase.so(+0x2bd05) [0x7f1235ec2d05]
/b/s/w/ir/out/build/libv8.so(v8::internal::Object::VerifyPointer(v8::internal::Isolate*, v8::internal::Tagged<v8::internal::Object>)+0x44) [0x7f1233c29664]
/b/s/w/ir/out/build/libv8.so(v8::internal::TorqueGeneratedClassVerifiers::FixedArrayVerify(v8::internal::FixedArray, v8::internal::Isolate*)+0xa7) [0x7f12352729b7]
/b/s/w/ir/out/build/libv8.so(v8::internal::FixedArray::FixedArrayVerify(v8::internal::Isolate*)+0x1f) [0x7f1233c2a9cf]
/b/s/w/ir/out/build/libv8.so(v8::internal::HeapObject::HeapObjectVerify(v8::internal::Isolate*)+0xa21) [0x7f1233c28011]
/b/s/w/ir/out/build/libv8.so(v8::internal::Object::ObjectVerify(v8::internal::Tagged<v8::internal::Object>, v8::internal::Isolate*)+0xe6) [0x7f1233c27166]
Crash analysis hash: 173e3c3d35feb36a58a448ec3c840f0f
--
You received this message because:
1. The project was configured to send all issue notifications to this address
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
Owner: ----
Labels: Hotlist-FlagFuzz
Components: GarbageCollection WebAssembly
Priority: 1
Type: Bug
New issue 14297 by mache...@chromium.org: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297
Failing test: mjsunit/wasm/wasm-to-js
Failure link: https://cr-buildbucket.appspot.com/build/8770886406492678177
Link to Flako run: https://ci.chromium.org/ui/p/v8/builders/try.triggered/v8_flako/b8770859525997178673/overview
Crash type: DCHECK failure
Crash state:
kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_)) in tagged-impl.h
Error summary:
#
# Fatal error in ../../src/objects/tagged-impl.h, line 144
# Debug check failed: kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_)).
#
#
#
#FailureMessage Object: 0x7ffddca83610
==== C stack trace ===============================
/b/s/w/ir/out/build/libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x13) [0x7f1235ee35a3]
/b/s/w/ir/out/build/libv8_libplatform.so(+0x19b7d) [0x7f12319f2b7d]
/b/s/w/ir/out/build/libv8_libbase.so(V8_Fatal(char const*, int, char const*, ...)+0x154) [0x7f1235ec3264]
/b/s/w/ir/out/build/libv8_libbase.so(+0x2bd05) [0x7f1235ec2d05]
/b/s/w/ir/out/build/libv8.so(v8::internal::Object::VerifyPointer(v8::internal::Isolate*, v8::internal::Tagged<v8::internal::Object>)+0x44) [0x7f1233c29664]
/b/s/w/ir/out/build/libv8.so(v8::internal::TorqueGeneratedClassVerifiers::FixedArrayVerify(v8::internal::FixedArray, v8::internal::Isolate*)+0xa7) [0x7f12352729b7]
/b/s/w/ir/out/build/libv8.so(v8::internal::FixedArray::FixedArrayVerify(v8::internal::Isolate*)+0x1f) [0x7f1233c2a9cf]
/b/s/w/ir/out/build/libv8.so(v8::internal::HeapObject::HeapObjectVerify(v8::internal::Isolate*)+0xa21) [0x7f1233c28011]
/b/s/w/ir/out/build/libv8.so(v8::internal::Object::ObjectVerify(v8::internal::Tagged<v8::internal::Object>, v8::internal::Isolate*)+0xe6) [0x7f1233c27166]
Crash analysis hash: 173e3c3d35feb36a58a448ec3c840f0f
--
You received this message because:
1. The project was configured to send all issue notifications to this address
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
mache… via monorail
Sep 5, 2023, 3:42:49 AM9/5/23
to v8-re...@googlegroups.com
Updates:
Owner: jgr...@chromium.org
Status: Assigned
Comment #1 on issue 14297 by mache...@chromium.org: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297#c1
Bisects to https://chromium-review.googlesource.com/c/v8/v8/+/4827607
Not sure if that's accurate... Can restart bisect.
Owner: jgr...@chromium.org
Status: Assigned
Comment #1 on issue 14297 by mache...@chromium.org: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297#c1
Bisects to https://chromium-review.googlesource.com/c/v8/v8/+/4827607
Not sure if that's accurate... Can restart bisect.
mache… via monorail
Sep 5, 2023, 3:43:57 AM9/5/23
to v8-re...@googlegroups.com
Comment #2 on issue 14297 by mache...@chromium.org: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297#c2
Run on parent of suspect: https://ci.chromium.org/ui/p/v8/builders/try.triggered/v8_flako/b8770811034281565921/overview
mache… via monorail
Sep 5, 2023, 4:34:13 AM9/5/23
to v8-re...@googlegroups.com
Comment #3 on issue 14297 by mache...@chromium.org: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297#c3
No repro on parent... So probably bisect was right.
jgru… via monorail
Sep 5, 2023, 5:35:32 AM9/5/23
to v8-re...@googlegroups.com
Updates:
NextAction: 2023-09-07
Comment #4 on issue 14297 by jgr...@chromium.org: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297#c4
Hmm.. behavior should be the same pre/post this change.
NextAction: 2023-09-07
Comment #4 on issue 14297 by jgr...@chromium.org: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297#c4
Hmm.. behavior should be the same pre/post this change.
jgru… via monorail
Sep 7, 2023, 3:29:35 AM9/7/23
to v8-re...@googlegroups.com
Comment #5 on issue 14297 by jgr...@chromium.org: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297#c5
Yes, confirming this crash already exists before my change. I'm still a bit confused wrt flako output, but locally I can repro on parent.
mache… via monorail
Sep 7, 2023, 3:48:05 AM9/7/23
to v8-re...@googlegroups.com
Updates:
Cc: niko...@chromium.org
Comment #6 on issue 14297 by mache...@chromium.org: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297#c6
Feel free then to assign to current memory sheriff (CC'ed).
Cc: niko...@chromium.org
Comment #6 on issue 14297 by mache...@chromium.org: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297#c6
Feel free then to assign to current memory sheriff (CC'ed).
jgru… via monorail
Sep 7, 2023, 4:27:50 AM9/7/23
to v8-re...@googlegroups.com
Updates:
Owner: ah...@chromium.org
Comment #7 on issue 14297 by jgr...@chromium.org: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297#c7
Locally I have the earliest repro at b24ac4a6b6b642085120e8d03c8cc2369d836c91. The nearby commit range is a bit messy for bisects due to a bunch of wasm-js-related reverts and relands. These are all somewhat nearby:
9ee1ba176a5 Reland "[wasm] Do not inline export wrappers for JSPI"
ea39cd717fb (HEAD) [wasm] Fix multi-return in the wasm-to-js wrapper
66aff43a74c [x64] Optimize v128.bitselect of zero constant
fd5d24ee6d1 [wasm] Limit generic wasm-to-js wrapper to 2 returns
12be26e09d4 Reland "[wasm] Support returns in the wasm-to-js wrapper"
a421a8057a8 [wasm][turboshaft] Add explicit int64 to int32 truncation
523e471e66b Revert "[wasm] Do not inline export wrappers for JSPI"
1c9bab05f9a [wasm][turboshaft] Implement call_ref/return_call_ref
f43a566ce60 [wasm] Do not inline export wrappers for JSPI
1c6ad765197 Revert "[wasm] Support returns in the wasm-to-js wrapper"
e361f3f1f05 [wasm] Support returns in the wasm-to-js wrapper
6013546f500 [wasm] Support params in the wasm-to-js wrapper
Andreas you authored many of these - ptal. To repro:
$ tools/run-tests.py --progress=verbose --outdir=out/release-with-dchecks --timeout=60 --swarming --variants=default --exit-after-n-failures=1 --extra-flags --always-turbofan --extra-flags --future --extra-flags --no-enable-sahf --extra-flags --no-regexp-tier-up --extra-flags --stress-marking=2 --extra-flags --stress-scavenge=21 --extra-flags --random-gc-interval=1008 --extra-flags --fuzzer-random-seed=1780896809 mjsunit/wasm/wasm-to-js --random-seed-stress-count=1000000 --total-timeout-sec=120
=== mjsunit/wasm/wasm-to-js ===
--- stderr ---
#
# Fatal error in ../../src/objects/tagged-impl.h, line 142
Owner: ah...@chromium.org
Comment #7 on issue 14297 by jgr...@chromium.org: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297#c7
Locally I have the earliest repro at b24ac4a6b6b642085120e8d03c8cc2369d836c91. The nearby commit range is a bit messy for bisects due to a bunch of wasm-js-related reverts and relands. These are all somewhat nearby:
9ee1ba176a5 Reland "[wasm] Do not inline export wrappers for JSPI"
ea39cd717fb (HEAD) [wasm] Fix multi-return in the wasm-to-js wrapper
66aff43a74c [x64] Optimize v128.bitselect of zero constant
fd5d24ee6d1 [wasm] Limit generic wasm-to-js wrapper to 2 returns
12be26e09d4 Reland "[wasm] Support returns in the wasm-to-js wrapper"
a421a8057a8 [wasm][turboshaft] Add explicit int64 to int32 truncation
523e471e66b Revert "[wasm] Do not inline export wrappers for JSPI"
1c9bab05f9a [wasm][turboshaft] Implement call_ref/return_call_ref
f43a566ce60 [wasm] Do not inline export wrappers for JSPI
1c6ad765197 Revert "[wasm] Support returns in the wasm-to-js wrapper"
e361f3f1f05 [wasm] Support returns in the wasm-to-js wrapper
6013546f500 [wasm] Support params in the wasm-to-js wrapper
Andreas you authored many of these - ptal. To repro:
$ tools/run-tests.py --progress=verbose --outdir=out/release-with-dchecks --timeout=60 --swarming --variants=default --exit-after-n-failures=1 --extra-flags --always-turbofan --extra-flags --future --extra-flags --no-enable-sahf --extra-flags --no-regexp-tier-up --extra-flags --stress-marking=2 --extra-flags --stress-scavenge=21 --extra-flags --random-gc-interval=1008 --extra-flags --fuzzer-random-seed=1780896809 mjsunit/wasm/wasm-to-js --random-seed-stress-count=1000000 --total-timeout-sec=120
=== mjsunit/wasm/wasm-to-js ===
--- stderr ---
#
# Fatal error in ../../src/objects/tagged-impl.h, line 142
# Debug check failed: kCanBeWeak || (!IsSmi() == HAS_STRONG_HEAP_OBJECT_TAG(ptr_)).
#
#
#
#FailureMessage Object: 0x7fffdfe7dcc0
==== C stack trace ===============================
/usr/local/google/home/jgruber/src/v8/out/release-with-dchecks/libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x13) [0x7f12a0ae1893]
/usr/local/google/home/jgruber/src/v8/out/release-with-dchecks/libv8_libplatform.so(+0x1823b) [0x7f12a0a8c23b]
/usr/local/google/home/jgruber/src/v8/out/release-with-dchecks/libv8_libbase.so(V8_Fatal(char const*, int, char const*, ...)+0x149) [0x7f12a0ac3509]
/usr/local/google/home/jgruber/src/v8/out/release-with-dchecks/libv8_libbase.so(+0x2a105) [0x7f12a0ac3105]
/usr/local/google/home/jgruber/src/v8/out/release-with-dchecks/libv8.so(v8::internal::Object::VerifyPointer(v8::internal::Isolate*, v8::internal::Object)+0x44) [0x7f129ec52d84]
/usr/local/google/home/jgruber/src/v8/out/release-with-dchecks/libv8.so(v8::internal::TorqueGeneratedClassVerifiers::FixedArrayVerify(v8::internal::FixedArray, v8::internal::Isolate*)+0xa7) [0x7f129ff4bb07]
/usr/local/google/home/jgruber/src/v8/out/release-with-dchecks/libv8.so(v8::internal::FixedArray::FixedArrayVerify(v8::internal::Isolate*)+0x1f) [0x7f129ec53d9f]
/usr/local/google/home/jgruber/src/v8/out/release-with-dchecks/libv8_libplatform.so(+0x1823b) [0x7f12a0a8c23b]
/usr/local/google/home/jgruber/src/v8/out/release-with-dchecks/libv8_libbase.so(V8_Fatal(char const*, int, char const*, ...)+0x149) [0x7f12a0ac3509]
/usr/local/google/home/jgruber/src/v8/out/release-with-dchecks/libv8_libbase.so(+0x2a105) [0x7f12a0ac3105]
/usr/local/google/home/jgruber/src/v8/out/release-with-dchecks/libv8.so(v8::internal::Object::VerifyPointer(v8::internal::Isolate*, v8::internal::Object)+0x44) [0x7f129ec52d84]
/usr/local/google/home/jgruber/src/v8/out/release-with-dchecks/libv8.so(v8::internal::TorqueGeneratedClassVerifiers::FixedArrayVerify(v8::internal::FixedArray, v8::internal::Isolate*)+0xa7) [0x7f129ff4bb07]
/usr/local/google/home/jgruber/src/v8/out/release-with-dchecks/libv8.so(v8::internal::FixedArray::FixedArrayVerify(v8::internal::Isolate*)+0x1f) [0x7f129ec53d9f]
ah… via monorail
Sep 7, 2023, 10:51:11 AM9/7/23
to v8-re...@googlegroups.com
Updates:
Labels: Priority-2
Comment #9 on issue 14297 by ah...@chromium.org: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297#c9
Lower the priority, because this feature is still behind a flag.
Labels: Priority-2
Comment #9 on issue 14297 by ah...@chromium.org: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297#c9
Lower the priority, because this feature is still behind a flag.
Git Watcher via monorail
Sep 12, 2023, 5:44:21 AM9/12/23
to v8-re...@googlegroups.com
Comment #10 on issue 14297 by Git Watcher: mjsunit/wasm/wasm-to-js starts failing (flag fuzzer)
https://bugs.chromium.org/p/v8/issues/detail?id=14297#c10
The following revision refers to this bug:
https://chromium.googlesource.com/v8/v8/+/fff4d15bab981307dd0c49f44fac358a68f29dcd
commit fff4d15bab981307dd0c49f44fac358a68f29dcd
Author: Andreas Haas <ah...@chromium.org>
Date: Tue Sep 12 08:51:16 2023
[wasm] Initialize parameter FixedArray in wasm-to-js wrapper
A GC can be triggered before the whole FixeArray is written, so it has
to be initialized before it is filled with data.
R=thib...@chromium.org
Bug: v8:14297
Change-Id: Ib0749d058379090a957a72a03759d0e2975b48b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4852528
Reviewed-by: Thibaud Michaud <thib...@chromium.org>
Commit-Queue: Andreas Haas <ah...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#89925}
[modify] https://crrev.com/fff4d15bab981307dd0c49f44fac358a68f29dcd/src/objects/fixed-array.tq
[modify] https://crrev.com/fff4d15bab981307dd0c49f44fac358a68f29dcd/src/builtins/wasm-to-js.tq
[modify] https://crrev.com/fff4d15bab981307dd0c49f44fac358a68f29dcd/src/builtins/wasm.tq
Reply all
Reply to author
Forward
0 new messages