Status: Accepted
Owner: [email protected]
CC: [email protected], [email protected]
Labels: Type-Bug Priority-Medium
New issue 3825 by [email protected]: invalid stack access from
SafeStackFrameIterator
https://code.google.com/p/v8/issues/detail?id=3825
From:
http://build.chromium.org/p/client.v8/builders/V8%20Mac64%20ASAN/builds/72/steps/Check/logs/LogAccessorCallbacks
Test: cctest/test-log/LogAccessorCallbacks (flaky in a repeated run)
Flags:
Command: xcodebuild/Release/cctest --random-seed=645993412
test-log/LogAccessorCallbacks --nohard-abort --nodead-code-elimination
--nofold-constants
--testing_serialization_file=out/.serdes/serdes_LogAccessorCallbacks
--invoke-weak-callbacks
Run #1
Exit code: 1
Result: FAIL
Expected outcomes: PASS
Stderr:
=================================================================
==91912==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff5fbfdcf8 at pc 0x000100c86e0e bp 0x7fff5fbfb8b0 sp 0x7fff5fbfb8a8
READ of size 8 at 0x7fff5fbfdcf8 thread T0
#0 0x100c86e0d in
v8::internal::SafeStackFrameIterator::IsValidCaller(v8::internal::StackFrame*)
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x100c86e0d)
#1 0x100c85e52 in v8::internal::SafeStackFrameIterator::Advance()
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x100c85e52)
#2 0x100c852f9 in
v8::internal::SafeStackFrameIterator::SafeStackFrameIterator(v8::internal::Isolate*,
unsigned char*, unsigned char*, unsigned char*)
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x100c852f9)
#3 0x1014d9920 in
v8::internal::TickSample::Init(v8::internal::Isolate*, v8::RegisterState
const&, v8::internal::TickSample::RecordCEntryFrame)
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x1014d9920)
#4 0x1014d94b7 in v8::internal::Sampler::SampleStack(v8::RegisterState
const&)
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x1014d94b7)
#5 0x1014d907e in
v8::internal::SignalHandler::HandleProfilerSignal(int, __siginfo*, void*)
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x1014d907e)
#6 0x7fff98f5d5a9 in _sigtramp
(/usr/lib/system/libsystem_platform.dylib+0x35a9)
#7 0x1039cd7ec in v8::internal::blob_data
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x1039cd7ec)
#8 0x1008e0ed8 in
v8::internal::InitializeDescriptorDispatchedCall(v8::internal::CodeStub*,
void**)
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x1008e0ed8)
#9 0x1008e0147 in
v8::internal::CodeStub::Dispatch(v8::internal::Isolate*, unsigned int,
void**, void (*)(v8::internal::CodeStub*, void**))
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x1008e0147)
#10 0x100b9f9ba in
v8::internal::Deoptimizer::DoComputeCompiledStubFrame(v8::internal::TranslationIterator*,
int)
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x100b9f9ba)
#11 0x100b98693 in v8::internal::Deoptimizer::DoComputeOutputFrames()
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x100b98693)
#12 0x23b97790642a (<unknown module>)
#13 0x611000008aff (<unknown module>)
#14 0x23b977b614c4 (<unknown module>)
#15 0x23b977b377bf (<unknown module>)
#16 0x23b977b15ad0 (<unknown module>)
#17 0x100bfb0c1 in v8::internal::Invoke(bool,
v8::internal::Handle<v8::internal::JSFunction>,
v8::internal::Handle<v8::internal::Object>, int,
v8::internal::Handle<v8::internal::Object>*)
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x100bfb0c1)
#18 0x10089c01f in
v8::internal::Genesis::CompileScriptCached(v8::internal::Isolate*,
v8::internal::Vector<char const>,
v8::internal::Handle<v8::internal::String>, v8::internal::SourceCodeCache*,
v8::Extension*, v8::internal::Handle<v8::internal::Context>, bool)
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x10089c01f)
#19 0x10089b915 in
v8::internal::Genesis::CompileNative(v8::internal::Isolate*,
v8::internal::Vector<char const>,
v8::internal::Handle<v8::internal::String>)
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x10089b915)
#20 0x1008c0651 in v8::internal::Genesis::InstallExperimentalNatives()
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x1008c0651)
#21 0x1008c75d7 in
v8::internal::Genesis::Genesis(v8::internal::Isolate*,
v8::internal::MaybeHandle<v8::internal::JSGlobalProxy>,
v8::Handle<v8::ObjectTemplate>, v8::ExtensionConfiguration*)
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x1008c75d7)
#22 0x100880e09 in
v8::internal::Bootstrapper::CreateEnvironment(v8::internal::MaybeHandle<v8::internal::JSGlobalProxy>,
v8::Handle<v8::ObjectTemplate>, v8::ExtensionConfiguration*)
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x100880e09)
#23 0x1007c5524 in v8::Context::New(v8::Isolate*,
v8::ExtensionConfiguration*, v8::Handle<v8::ObjectTemplate>,
v8::Handle<v8::Value>)
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x1007c5524)
#24 0x10060cc46 in TestLogAccessorCallbacks()
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x10060cc46)
#25 0x10033c099 in CcTest::Run()
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x10033c099)
#26 0x10033c877 in main
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x10033c877)
#27 0x100000d63 in start
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x100000d63)
#28 0x7
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x7)
Address 0x7fff5fbfdcf8 is located in stack of thread T0 at offset 3544 in
frame
#0 0x1008de0ef in
v8::internal::CodeStub::Dispatch(v8::internal::Isolate*, unsigned int,
void**, void (*)(v8::internal::CodeStub*, void**))
(/Volumes/data/b/build/slave/mac64-asan/build/v8/xcodebuild/Release/cctest+0x1008de0ef)
This frame has 70 object(s):
[32, 56) 'stub'
[96, 120) 'stub3'
[160, 184) 'stub6'
[224, 248) 'stub9'
[288, 312) 'stub12'
[352, 376) 'stub15'
[416, 440) 'stub18'
[480, 504) 'stub21'
[544, 568) 'stub24'
[608, 632) 'stub27'
[672, 696) 'stub30'
[736, 768) 'stub33'
[800, 824) 'stub36'
[864, 888) 'stub39'
[928, 952) 'stub42'
[992, 1016) 'stub45'
[1056, 1088) 'stub48'
[1120, 1144) 'stub51'
[1184, 1208) 'stub54'
[1248, 1272) 'stub57'
[1312, 1336) 'stub60'
[1376, 1400) 'stub63'
[1440, 1464) 'stub66'
[1504, 1568) 'stub69'
[1600, 1624) 'stub72'
[1664, 1688) 'stub75'
[1728, 1752) 'stub78'
[1792, 1816) 'stub81'
[1856, 1880) 'stub84'
[1920, 1944) 'stub87'
[1984, 2008) 'stub90'
[2048, 2072) 'stub93'
[2112, 2136) 'stub96'
[2176, 2200) 'stub99'
[2240, 2264) 'stub102'
[2304, 2328) 'stub105'
[2368, 2392) 'stub108'
[2432, 2456) 'stub111'
[2496, 2520) 'stub114'
[2560, 2584) 'stub117'
[2624, 2648) 'stub120'
[2688, 2712) 'stub123'
[2752, 2776) 'stub126'
[2816, 2840) 'stub129'
[2880, 2904) 'stub132'
[2944, 2968) 'stub135'
[3008, 3032) 'stub138'
[3072, 3096) 'stub141'
[3136, 3160) 'stub144'
[3200, 3224) 'stub147'
[3264, 3288) 'stub150'
[3328, 3352) 'stub153'
[3392, 3416) 'stub156'
[3456, 3480) 'stub159'
[3520, 3544) 'stub162' <== Memory access at offset 3544 overflows this
variable
[3584, 3608) 'stub165'
[3648, 3672) 'stub168'
[3712, 3736) 'stub171'
[3776, 3800) 'stub174'
[3840, 3864) 'stub177'
[3904, 3928) 'stub180'
[3968, 3992) 'stub183'
[4032, 4056) 'stub186'
[4096, 4120) 'stub189'
[4160, 4184) 'stub192'
[4224, 4248) 'stub195'
[4288, 4312) 'stub198'
[4352, 4376) 'stub201'
[4416, 4440) 'stub204'
[4480, 4504) 'stub207'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0
v8::internal::SafeStackFrameIterator::IsValidCaller(v8::internal::StackFrame*)
Shadow bytes around the buggy address:
0x1fffebf7fb40: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2
0x1fffebf7fb50: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2
0x1fffebf7fb60: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2
0x1fffebf7fb70: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2
0x1fffebf7fb80: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2
=>0x1fffebf7fb90: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00[f2]
0x1fffebf7fba0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2
0x1fffebf7fbb0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2
0x1fffebf7fbc0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2
0x1fffebf7fbd0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2
0x1fffebf7fbe0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==91912==ABORTING
Run #2
Exit code: 0
Result: PASS
Expected outcomes: PASS
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
