Skip to content

dartfuzz: Expected constant index to be Smi #56948

New issue
New issue
Closed
Closed
dartfuzz: Expected constant index to be Smi#56948
Labels
area-vmUse area-vm for VM related issues, including code coverage, and the AOT and JIT backends.dartfuzzFound with Dart fuzzing (DartFuzz, libFuzzer, etc.)type-bugIncorrect behavior (everything from a crash to more subtle misbehavior)
@rmacnak-google

Description

@rmacnak-google
rmacnak-google
opened on Oct 23, 2024
import 'dart:typed_data';
import 'dart:io';

@pragma("vm:never-inline")
foo() {
  Int8List(28).fillRange(-19, 25, 9223372034707292160);
}

main() {
  try {
    foo();
  } catch (e, st) {
    print('foo throws');
  }

  sleep(Duration(seconds: 30)); // Let background compiler catch up.
}
out/ReleaseSIMARM/dart --optimization_counter_threshold=1 --old_gen_heap_size=128 fuzz2.dart
../../runtime/vm/compiler/runtime_api.cc: 978: error: expected: IsSmi(a)
version=3.7.0-edge (main) (Unknown timestamp) on "linux_simarm"
pid=2712723, thread=2712727, isolate_group=main(0x591e0d90), isolate=(nil)((nil))
os=linux, arch=arm, comp=no, sim=yes
isolate_instructions=58699be0, vm_instructions=58699be0
fp=f67fd178, sp=f67fd0e8, pc=589374fb
  pc 0x589374fb fp 0xf67fd178 dart::Profiler::DumpStackTrace+0x9b
  pc 0x58bab851 fp 0xf67fd198 Dart_DumpNativeStackTrace+0x21
  pc 0x58699dd6 fp 0xf67fd1c8 dart::Assert::Fail+0x36
  pc 0x589a8856 fp 0xf67fd1f8 dart::compiler::target::SmiValue+0x66
  pc 0x58a5e506 fp 0xf67fd318 dart::StoreIndexedInstr::EmitNativeCode+0x786
  pc 0x58a2c157 fp 0xf67fd478 dart::FlowGraphCompiler::VisitBlocks+0x537
  pc 0x58a2bbbf fp 0xf67fd4b8 dart::FlowGraphCompiler::CompileGraph+0x7f
  pc 0x58ae2f14 fp 0xf67fd4d8 dart::CompilerPass_GenerateCode::DoBody+0x24
  pc 0x58ae1bdd fp 0xf67fd588 dart::CompilerPass::Run+0x1ed
  pc 0x589a475a fp 0xf67fd9b8 dart::CompileParsedFunctionHelper::Compile+0x7aa
  pc 0x589a4ff7 fp 0xf67fde68 dart::CompileFunctionHelper+0x4b7
  pc 0x589a57e1 fp 0xf67fded8 dart::Compiler::CompileOptimizedFunction+0x101
  pc 0x589a5ffc fp 0xf67fe1f8 dart::BackgroundCompiler::Run+0x10c
  pc 0x589a66f4 fp 0xf67fe218 dart::BackgroundCompilerTask::Run+0x24
  pc 0x58993257 fp 0xf67fe2a8 dart::ThreadPool::WorkerLoop+0x137
  pc 0x5899352c fp 0xf67fe2e8 dart::ThreadPool::Worker::Main+0x7c
  pc 0x589340d7 fp 0xf67fe3b8 dart::ThreadStart+0xe7
  pc 0xf7c5f75d fp 0xf67fe428 /lib/i386-linux-gnu/libc.so.6+0x8975d
-- End of DumpStackTrace
=== Crash occurred when compiling file:///usr/local/google/home/rmacnak/dart1/sdk/fuzz2.dart_::_foo in optimizing JIT mode in GenerateCode pass
=== When compiling block B14[join]:82 pred(B13, B14) {
      v28 <- phi(v54 T{_Smi}, v31) alive [-19, -19] T{_Smi}
}
=== When compiling instruction StoreIndexed:80([_Int8List] v13 T{_Int8List}, v28 T{_Smi}, v46 T{_Mint}, NoStoreBarrier)
*** BEGIN CFG
GenerateCode
==== file:///usr/local/google/home/rmacnak/dart1/sdk/fuzz2.dart_::_foo (RegularFunction)
  0: B0[graph]:0 {
      v0 <- Constant(#null) T{Null?}
      v1 <- Constant(#<optimized out>) T{Sentinel~}
      v2 <- Constant(#28) [28, 28] T{_Smi}
      v6 <- Constant(#25) [25, 25] T{_Smi}
      v7 <- Constant(#9223372034707292160) [9223372034707292160, 9223372034707292160] T{_Mint}
      v45 <- Constant(#1) [1, 1] T{_Smi}
      v46 <- UnboxedConstant(#-2147483648) [-2147483648, -2147483648] int32
      v54 <- Constant(#-19) [-19, -19] T{_Smi}
}
  2: B13[function entry]:2
  4:     CheckStackOverflow:8(stack=0, loop=0)
  5:     ParallelMove r4 <- C
  6:     v13 <- AllocateTypedData:10(v2 T{_Smi}, <not-aliased>) T{_Int8List}
  8:     ParallelMove fp[-3] <- r0
  8:     MoveArgument(sp[2] <- v54 T{_Smi})
 10:     MoveArgument(sp[1] <- v6 T{_Smi})
 12:     MoveArgument(sp[0] <- v2 T{_Smi})
 14:     StaticCall:34( checkValidRange<0> v54 T{_Smi}, v6 T{_Smi}, v2 T{_Smi})
 16:     RecordCoverage()
 18:     ParallelMove r1 <- C, r0 <- fp[-3] goto:84 B14
 20: B14[join]:82 pred(B13, B14) {
      v28 <- phi(v54 T{_Smi}, v31) alive [-19, -19] T{_Smi}
}
 22:     CheckStackOverflow:88(stack=0, loop=1)
 24:     RecordCoverage()
 26:     RecordCoverage()
 28:     CheckArrayBound:80(v2 T{_Smi}, v28 T{_Smi}) T{_Smi}
 30:     ParallelMove r2 <- r1
 30:     StoreIndexed:80([_Int8List] v13 T{_Int8List}, v28 T{_Smi}, v46 T{_Mint}, NoStoreBarrier)
 32:     RecordCoverage()
 34:     v31 <- BinarySmiOp:78(+, v28 T{_Smi}, v45 T{_Smi}) T{_Smi}
 36:     ParallelMove r1 <- r2 goto:86 B14
*** END CFG

log

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-vmUse area-vm for VM related issues, including code coverage, and the AOT and JIT backends.dartfuzzFound with Dart fuzzing (DartFuzz, libFuzzer, etc.)type-bugIncorrect behavior (everything from a crash to more subtle misbehavior)

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions