Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

13.2.0 crashes when running uglify-js fuzzer #30586

Closed
alexlamsl opened this issue Nov 22, 2019 · 16 comments
Closed

13.2.0 crashes when running uglify-js fuzzer #30586

alexlamsl opened this issue Nov 22, 2019 · 16 comments
Labels
v8 engine Issues and PRs related to the V8 dependency.

Comments

@alexlamsl
Copy link

  • Version: 13.2.0
  • Platform: Ubuntu & Windows

Node.js silently crashes when running the following:

$ git clone https://github.com/mishoo/UglifyJS2.git
$ cd UglifyJS2
$ node --max-old-space-size=2048 test/ufuzz
581 of Infinity
$

The process is expected to run indefinitely, as with 13.1.0 and all previous versions of Node.js. Instead with 13.2.0 it aborts without even returning a non-zero code.

@alexlamsl
Copy link
Author

For completeness I've just tried 12.13.1 (was on 12.13.0) and it also works fine without crashing.

@targos
Copy link
Member

targos commented Nov 22, 2019

I think this is fixed by #30582

No it's not fixed by that PR. It just took longer to crash.

@targos
Copy link
Member

targos commented Nov 22, 2019

So that's probably a bug in V8 7.9. I'll try to run it with GDB.

@targos
Copy link
Member

targos commented Nov 22, 2019

(gdb) bt
#0  0x00000009df5d3ede in ?? ()
#1  0x0000000000e041e6 in v8::internal::Runtime_StorePropertyWithInterceptor(int, unsigned long*, v8::internal::Isolate*) ()
#2  0x00000000013bc319 in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit () at ../../deps/v8/../../deps/v8/src/builtins/base.tq:3629
#3  0x0000000001434f22 in Builtins_StaNamedPropertyWideHandler () at ../../deps/v8/../../deps/v8/src/builtins/base.tq:385
#4  0x00000000013483fb in Builtins_InterpreterEntryTrampoline () at ../../deps/v8/../../deps/v8/src/builtins/base.tq:412

/cc @nodejs/v8

@targos
Copy link
Member

targos commented Nov 22, 2019

#
# Fatal error in ../../deps/v8/src/ic/ic.cc, line 2739
# Debug check failed: interceptor_holder->HasNamedInterceptor().
#
#
#
#FailureMessage Object: 0x7ffdb10211b0
Thread 1 "node" received signal SIGILL, Illegal instruction.
v8::base::OS::Abort () at ../../deps/v8/src/base/platform/platform-posix.cc:407
407         V8_IMMEDIATE_CRASH();
#2  0x000000000272d203 in v8::base::(anonymous namespace)::DefaultDcheckHandler (file=<optimized out>, line=<optimized out>, message=<optimized out>) at ../../deps/v8/src/base/logging.cc:57
57        V8_Fatal(file, line, "Debug check failed: %s.", message);
Missing separate debuginfos, use: dnf debuginfo-install libgcc-9.2.1-1.fc31.x86_64 libstdc++-9.2.1-1.fc31.x86_64
(gdb) bt
#0  v8::base::OS::Abort () at ../../deps/v8/src/base/platform/platform-posix.cc:407
#1  0x000000000272d1e9 in V8_Fatal (file=0x2de6720 "../../deps/v8/src/ic/ic.cc", line=2739, format=format@entry=0x4eac23a "Debug check failed: %s.") at ../../deps/v8/src/base/logging.cc:182
#2  0x000000000272d203 in v8::base::(anonymous namespace)::DefaultDcheckHandler (file=<optimized out>, line=<optimized out>, message=<optimized out>) at ../../deps/v8/src/base/logging.cc:57
#3  0x00000000014c8021 in v8::internal::__RT_impl_Runtime_StorePropertyWithInterceptor (args=..., isolate=isolate@entry=0x5d2e850) at ../../deps/v8/src/ic/ic.cc:2739
#4  0x00000000014c8547 in v8::internal::Runtime_StorePropertyWithInterceptor (args_length=5, args_object=0x7ffdb10216a0, isolate=0x5d2e850) at ../../deps/v8/src/ic/ic.cc:2719
#5  0x0000000001e6d720 in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit () at ../../deps/v8/src/builtins/builtins-async-iterator-gen.cc:267
#6  0x00000000020d7c94 in Builtins_StaNamedPropertyWideHandler () at ../../deps/v8/src/interpreter/interpreter-generator.cc:778

@targos
Copy link
Member

targos commented Nov 22, 2019

Possibly introduced by v8/v8@2f1bc98

/cc @danelphic

@targos
Copy link
Member

targos commented Nov 22, 2019

@danelphick

@verwaest
Copy link
Contributor

Does your build include https://chromium-review.googlesource.com/c/v8/v8/+/1807356 ? If not, that might be the issue.

@targos
Copy link
Member

targos commented Nov 22, 2019

@verwaest yes, it does include that commit. I can reproduce the crash with V8 master.

@verwaest
Copy link
Contributor

Alternatively you try to revert that CL as well as https://chromium-review.googlesource.com/c/v8/v8/+/1696285. If that works there could be another bug in that CL.

Or did you bisect the issue to Dan's CL?

@targos
Copy link
Member

targos commented Nov 22, 2019

No, I did not bisect.
Reverting just https://chromium-review.googlesource.com/c/v8/v8/+/1696285 is not trivial, there are conflicts in src/ic/accessor-assembler.cc and src/ic/ic.cc.

@addaleax addaleax added the v8 engine Issues and PRs related to the V8 dependency. label Nov 22, 2019
@verwaest
Copy link
Contributor

https://chromium-review.googlesource.com/c/v8/v8/+/1930903 may fix it. (Took me a while to repro in debug mode :))

@targos
Copy link
Member

targos commented Nov 22, 2019

I confirm the fix seems to work (no crash in over 10 minutes). Will it be backmerged to 7.9 ?

@bricss
Copy link

bricss commented Nov 26, 2019

Still no-signal on this? 🙄

targos added a commit to targos/node that referenced this issue Nov 27, 2019
Original commit message:

    [ic] Fix non-GlobalIC store to interceptor on the global object

    We possibly need to load the global object from the global proxy as the holder
    of the named interceptor.

    Change-Id: I0f9f2e448630608ae853588f6751b55574a9efd9
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1930903
    Commit-Queue: Igor Sheludko <ishell@chromium.org>
    Reviewed-by: Igor Sheludko <ishell@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#65119}

Refs: v8/v8@93f189f
Fixes: nodejs#30586
@verwaest
Copy link
Contributor

Hey sorry for the late reply, but this fix only affects node so it made sense that you locally applied it. Thanks!

@targos targos closed this as completed in b7b39e0 Nov 29, 2019
@alexlamsl
Copy link
Author

@verwaest @targos thanks for sorting this out!

addaleax pushed a commit that referenced this issue Nov 30, 2019
Original commit message:

    [ic] Fix non-GlobalIC store to interceptor on the global object

    We possibly need to load the global object from the global proxy as the holder
    of the named interceptor.

    Change-Id: I0f9f2e448630608ae853588f6751b55574a9efd9
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1930903
    Commit-Queue: Igor Sheludko <ishell@chromium.org>
    Reviewed-by: Igor Sheludko <ishell@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#65119}

Refs: v8/v8@93f189f
Fixes: #30586

PR-URL: #30681
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
v8 engine Issues and PRs related to the V8 dependency.
Projects
None yet
Development

No branches or pull requests

5 participants