Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vm crash on dart fuzzer test - SelectRepresentations at CalculateElementAddressInstr #55595

Closed
aam opened this issue Apr 29, 2024 · 1 comment
Closed

vm crash on dart fuzzer test - SelectRepresentations at CalculateElementAddressInstr #55595

aam opened this issue Apr 29, 2024 · 1 comment
Labels
area-vm Use area-vm for VM related issues, including code coverage, FFI, and the AOT and JIT backends. crash Process exits with SIGSEGV, SIGABRT, etc. An unhandled exception is not a crash. P3 A lower priority bug or feature request triaged Issue has been triaged by sub team

Comments

@aam
Copy link
Contributor

aam commented Apr 29, 2024 

$ dart runtime/tools/dartfuzz/dartfuzz.dart --no-fp --no-ffi --flat --seed 2550109923 fuzz.dart
$ DART_CONFIGURATION='ReleaseX64
[fuzz.zip](https://github.com/dart-lang/sdk/files/15151425/fuzz.zip)
' DART_VM_FLAGS='--enable-asserts' pkg/vm/tool/precompiler2 --deterministic fuzz.dart snapshot
...
../../runtime/vm/compiler/backend/il.h: 1262: error: unreachable code
version=3.5.0-edge (main) (Unknown timestamp) on "linux_x64"
pid=824675, thread=824675, isolate_group=isolate(0x55d2cfd100a0), isolate=(nil)((nil))
os=linux, arch=x64, comp=no, sim=no
isolate_instructions=0, vm_instructions=0
fp=7ffdd42629b0, sp=7ffdd4262880, pc=55d2ce4a6dfc
  pc 0x000055d2ce4a6dfc fp 0x00007ffdd42629b0 dart::Profiler::DumpStackTrace+0x7c
  pc 0x000055d2ce3777f4 fp 0x00007ffdd4262a90 dart::Assert::Fail+0x84
  pc 0x000055d2ce61fc7c fp 0x00007ffdd4262ab0 dart::Instruction::DeoptimizationTarget+0x2c
  pc 0x000055d2ce5f7b28 fp 0x00007ffdd4262b30 dart::FlowGraph::InsertConversion+0x1e8
  pc 0x000055d2ce5f8a1f fp 0x00007ffdd4262b60 dart::FlowGraph::InsertConversionsFor+0x8f
  pc 0x000055d2ce5f910c fp 0x00007ffdd4262c00 dart::FlowGraph::SelectRepresentations+0x6ac
  pc 0x000055d2ce6a23d0 fp 0x00007ffdd4262c10 dart::CompilerPass_SelectRepresentations::DoBody+0x10
  pc 0x000055d2ce6a1b1f fp 0x00007ffdd4262cd0 dart::CompilerPass::Run+0x11f
  pc 0x000055d2ce6a1f8e fp 0x00007ffdd4262cf0 dart::CompilerPass::RunPipeline+0x17e
  pc 0x000055d2ce5bfb84 fp 0x00007ffdd4263430 dart::PrecompileParsedFunctionHelper::Compile+0x584
  pc 0x000055d2ce5c040d fp 0x00007ffdd4263af0 dart::PrecompileFunctionHelper+0x2ed
  pc 0x000055d2ce5bca67 fp 0x00007ffdd4263c00 dart::Precompiler::CompileFunction+0x177
  pc 0x000055d2ce5bba14 fp 0x00007ffdd4263c90 dart::Precompiler::ProcessFunction+0xe4
  pc 0x000055d2ce5b7894 fp 0x00007ffdd4263ce0 dart::Precompiler::Iterate+0x84
  pc 0x000055d2ce5b4947 fp 0x00007ffdd4264470 dart::Precompiler::DoCompileAll+0x1507
  pc 0x000055d2ce5b33d8 fp 0x00007ffdd4264900 dart::Precompiler::CompileAll+0xb8
  pc 0x000055d2ce7267bf fp 0x00007ffdd4264af0 Dart_Precompile+0x28f
  pc 0x000055d2ce371539 fp 0x00007ffdd4264c60 dart::bin::main+0x869
-- End of DumpStackTrace
=== Crash occurred when compiling file:///usr/local/google/home/aam/p/d/d1/sdk/fuzz.dart_::_fooE1|foo1_Extension0 in AOT mode in SelectRepresentations pass
...

cc @sstrickl
fuzz.zip
@aam aam added the area-vm Use area-vm for VM related issues, including code coverage, FFI, and the AOT and JIT backends. label Apr 29, 2024
@alexmarkov
Copy link
Contributor

Unboxing of inputs of CalculateElementAddress instruction should not be speculative.

The following change fixes the crash:

diff --git a/runtime/vm/compiler/backend/il.h b/runtime/vm/compiler/backend/il.h
index f7a616809e8..39b1c999712 100644
--- a/runtime/vm/compiler/backend/il.h
+++ b/runtime/vm/compiler/backend/il.h
@@ -7966,6 +7966,10 @@ class CalculateElementAddressInstr : public TemplateDefinition<3, NoThrow> {
     return kUnboxedIntPtr;
   }
 
+  virtual SpeculativeMode SpeculativeModeOfInput(intptr_t index) const {
+    return kNotSpeculative;
+  }
+
   Value* base() const { return inputs_[kBasePos]; }
   Value* index() const { return inputs_[kIndexPos]; }
   Value* offset() const { return inputs_[kOffsetPos]; }

The tricky part is to create a regression test out of the code generated by dart fuzzer.

@a-siva a-siva added triaged Issue has been triaged by sub team crash Process exits with SIGSEGV, SIGABRT, etc. An unhandled exception is not a crash. P3 A lower priority bug or feature request labels May 1, 2024
@alexmarkov alexmarkov mentioned this issue May 6, 2024
Closed
@mkustermann mkustermann mentioned this issue May 8, 2024
Closed
copybara-service bot pushed a commit that referenced this issue May 8, 2024
@rmacnak-google
[vm, compiler] Mark CalculateElementAddressInstr as not speculative.
e22fc12 
TEST=ci
Bug: #55595
Bug: #55663
Change-Id: I7475ef81857be60910d93262123d01936c5ab15a
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/365902
Commit-Queue: Ryan Macnak <rmacnak@google.com>
Reviewed-by: Alexander Markov <alexmarkov@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-vm Use area-vm for VM related issues, including code coverage, FFI, and the AOT and JIT backends. crash Process exits with SIGSEGV, SIGABRT, etc. An unhandled exception is not a crash. P3 A lower priority bug or feature request triaged Issue has been triaged by sub team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aam @rmacnak-google @a-siva @alexmarkov