Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AOT-ReleaseX64 segfault #35703

Closed
aartbik opened this issue Jan 18, 2019 · 6 comments
Closed

AOT-ReleaseX64 segfault #35703

aartbik opened this issue Jan 18, 2019 · 6 comments
Assignees
@mkustermann @aartbik
Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.)

Comments

@aartbik
Copy link
Contributor

aartbik commented Jan 18, 2019

Reproduces on ToT.

Isolate (/b/s/w/itTQ5HWJ/dart_fuzzOPFNNB) AOT-ReleaseX64 - KBC-CMP-ReleaseX64: !DIVERGENCE! 1.2:3608420507 (output=false)

fail1:

===== CRASH =====
version=2.2.0-edge.e64428a8395179f534fee45ca9a831e6c2c39d03 (Fri Jan 18 01:41:18 2019 +0000) on "linux_x64"
si_signo=Segmentation fault(11), si_code=1, si_addr=0x8
thread=461, isolate=isolate(0x556c3fada900)
[0x0000556c3eb2c904] Unknown symbol
[0x0000556c3eb2c904] Unknown symbol
[0x0000556c3eafa4bf] Unknown symbol
[0x0000556c3eac3f90] Unknown symbol
[0x0000556c3eac57fe] Unknown symbol
[0x0000556c3eac0e05] Unknown symbol
[0x0000556c3eabf86a] Unknown symbol
[0x0000556c3eaba924] Unknown symbol
[0x0000556c3eab8460] Unknown symbol
[0x0000556c3eab8034] Unknown symbol
[0x0000556c3ec0de9a] Unknown symbol
[0x0000556c3e864170] Unknown symbol
-- End of DumpStackTrace
@aartbik aartbik added area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.) labels Jan 18, 2019
@aartbik aartbik self-assigned this Jan 18, 2019
@aartbik
Copy link
Contributor Author

aartbik commented Jan 18, 2019

The stack trace is awful on the crash, but it happens during

slow_path->GenerateCode(this);

when generating the code for the following "CheckedSmiComparison":

B98 pre=36 post=29--> dom=B48 doms(#2)=B53,B168, preds=B48, <--
336: B98[target]:28 ParallelMove rax <- S+2, rcx <- C
338: v857 <- UnboxedConstant(#1) [1, 1] T{_Smi}
340: v484 <- LoadField(v2 T{X2} . fld2_1) T{_InternalLinkedHashMap}
342: PushArgument(v484)
344: PushArgument(v14)
346: v489 <- StaticCall:38( foo1<0> v484, v14) T{int?} env deopt!
347: ParallelMove rcx <- rax, rax <- C
348: Branch if CheckedSmiComparison:40(!=, v86, v489) T{bool} goto (168, 53)

@aartbik
Copy link
Contributor Author

aartbik commented Jan 18, 2019

Digging deeper, crashes while accessing Selector() on the static call

v491 <- StaticCall:40( ==<0> v86, v489, recognized_kind = Integer_equal) T{bool}

because the underlying call does not have ic_data()

     if (auto static_call = this->AsStaticCall()) {
       return static_call->ic_data()->target_name();
     }

Adding an ASSERT confirms this.

@aartbik
Copy link
Contributor Author

aartbik commented Jan 18, 2019

The problem may have been introduces by the unification CL (https://dart-review.googlesource.com/c/sdk/+/84433) which moved static calls into the realm of possibilities for a rewrite into a CheckedSmiComparison without proper check for ic_data().

@aartbik
Copy link
Contributor Author

aartbik commented Jan 22, 2019

Martin, would you mind having a quick look?

dart-bot pushed a commit that referenced this issue Jan 22, 2019
@aartbik
[dart/vm] Add assert in Selector() method
dc182cc 
Rationale:
This would have made triaging the bug below a lot quicker.

#35703

Change-Id: I23451f1b2944f9447a1f1c1c85af073a7211fe4b
Reviewed-on: https://dart-review.googlesource.com/c/90302
Reviewed-by: Vyacheslav Egorov <vegorov@google.com>
Commit-Queue: Aart Bik <ajcbik@google.com>
@mkustermann
Copy link
Member

@aartbik Sure, I can take a look. How do I get the reproduction command from the fuzzer run?

@aartbik
Copy link
Contributor Author

aartbik commented Jan 23, 2019

Thanks Martin. As for reproducing, I have a small write-up on how to do this on go/dartfuzz, but also attached (fuzz3608420507.dart as fuzz3608420507.txt) for your convenience. To reproduce

precompiler2 fuzz3608420507.dart blob.bin

../../runtime/vm/compiler/backend/il.h: 3104: error: expected: static_call->ic_data() != nullptr

(note that the check fail is new, introduced above for more graceful failure).

fuzz3608420507.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mkustermann mkustermann

@aartbik aartbik

Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mkustermann @aartbik