Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dartfuzz: crash during register allocation #55686

Closed
rmacnak-google opened this issue May 10, 2024 · 0 comments
Closed

dartfuzz: crash during register allocation #55686

rmacnak-google opened this issue May 10, 2024 · 0 comments
Labels
area-vm Use area-vm for VM related issues, including code coverage, FFI, and the AOT and JIT backends. crash Process exits with SIGSEGV, SIGABRT, etc. An unhandled exception is not a crash. dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.)

Comments

@rmacnak-google
Copy link
Contributor 

=== FAILURE ===
command: out/ReleaseX64/dart pkg/vm/bin/gen_kernel.dart --platform=out/ReleaseSIMRISCV64/vm_platform_strong.dill --aot --output=out/dartfuzz/2.dill pkg/compiler/lib/src/dart2js.dart
command: out/ReleaseSIMRISCV64/gen_snapshot --verify_store_buffer --no_propagate_ic_data --force_switch_dispatch_type=2 --snapshot_kind=app-aot-elf --elf=out/dartfuzz/2.elf out/dartfuzz/2.dill
exitCode: -6
stdout:

stderr:

===== CRASH =====
si_signo=Segmentation fault(11), si_code=SEGV_MAPERR(1), si_addr=0x50
version=3.5.0-edge (main) (Unknown timestamp) on "linux_simriscv64"
pid=350757, thread=350757, isolate_group=isolate(0x5598579ad230), isolate=(nil)((nil))
os=linux, arch=riscv64, comp=no, sim=yes
isolate_instructions=0, vm_instructions=0
fp=7ffffa86d030, sp=7ffffa86d010, pc=559857159740
  pc 0x0000559857159740 fp 0x00007ffffa86d030 dart::EmitMoveOnEdge+0xe0
  pc 0x0000559857158f5e fp 0x00007ffffa86d170 dart::FlowGraphAllocator::ResolveControlFlow+0x93e
  pc 0x000055985715a421 fp 0x00007ffffa86d1c0 dart::FlowGraphAllocator::AllocateRegisters+0x371
  pc 0x00005598571939c2 fp 0x00007ffffa86d6f0 dart::CompilerPass_AllocateRegisters::DoBody+0x52
  pc 0x0000559857192bcf fp 0x00007ffffa86d7b0 dart::CompilerPass::Run+0x11f
  pc 0x0000559857193215 fp 0x00007ffffa86d7d0 dart::CompilerPass::RunPipeline+0x355
  pc 0x00005598570bc774 fp 0x00007ffffa86df30 dart::PrecompileParsedFunctionHelper::Compile+0x584
  pc 0x00005598570bcffd fp 0x00007ffffa86e5f0 dart::PrecompileFunctionHelper+0x2ed
  pc 0x00005598570b9657 fp 0x00007ffffa86e700 dart::Precompiler::CompileFunction+0x177
  pc 0x00005598570b8604 fp 0x00007ffffa86e790 dart::Precompiler::ProcessFunction+0xe4
  pc 0x00005598570b4484 fp 0x00007ffffa86e7e0 dart::Precompiler::Iterate+0x84
  pc 0x00005598570b1537 fp 0x00007ffffa86ef70 dart::Precompiler::DoCompileAll+0x1507
  pc 0x00005598570affc8 fp 0x00007ffffa86f400 dart::Precompiler::CompileAll+0xb8
  pc 0x000055985721341f fp 0x00007ffffa86f5f0 Dart_Precompile+0x28f
  pc 0x0000559856e61e19 fp 0x00007ffffa86f760 dart::bin::main+0x869
-- End of DumpStackTrace
=== Crash occurred when compiling package:_macros/src/executor/protocol.dart_SerializableResponse_serialize in AOT mode in AllocateRegisters pass
*** BEGIN CFG
AllocateRegisters
==== package:_macros/src/executor/protocol.dart_SerializableResponse_serialize (RegularFunction)
  0: B0[graph]:0 {
      v0 <- Constant(#null) T{Null?}
      v34 <- UnboxedConstant(#24) [24, 24] int64
      v35 <- UnboxedConstant(#6) [6, 6] int64
}
  2: B1[function entry]:2 {
      v2 <- Parameter(0 @fp[1]) T{SerializableResponse}
      v3 <- Parameter(1 @fp[0]) T{Serializer}
}
  4:     CheckStackOverflow:8(stack=0, loop=0)
  5:     ParallelMove a0 <- fp[1]
  6:     v4 <- LoadField(v2 . serializationZoneId {final}) [-9223372036854775808, 9223372036854775807] int64
  7:     ParallelMove a6 <- fp[0]
  8:     v36 <- LoadClassId(<non-smi> v3) int64
 10:     MoveArgument(sp[1] <- v3)
 12:     MoveArgument(sp[0] <- v4) int64
 14:     DispatchTableCall( cid=v36 Serializer.addInt<0>, v3, v4)
 15:     ParallelMove a0 <- fp[0]
 16:     v37 <- LoadClassId(<non-smi> v3) int64
 18:     MoveArgument(sp[1] <- v3)
 19:     ParallelMove a1 <- C
 20:     MoveArgument(sp[0] <- v34 T{_Smi}) int64
 22:     DispatchTableCall( cid=v37 Serializer.addInt<0>, v3, v34 T{_Smi})
 23:     ParallelMove a0 <- fp[1]
 24:     v7 <- LoadField(v2 . responseType {final}) T{MessageType}
 26:     v8 <- LoadField(v7 . index {final}) [-9223372036854775808, 9223372036854775807] int64
 27:     ParallelMove a1 <- fp[0]
 28:     v38 <- LoadClassId(<non-smi> v3) int64
 30:     MoveArgument(sp[1] <- v3)
 32:     MoveArgument(sp[0] <- v8) int64
 34:     DispatchTableCall( cid=v38 Serializer.addInt<0>, v3, v8)
 35:     ParallelMove a0 <- fp[-3]
 36:     Branch if RelationalOp:48(>=, v8 T{int}, v35 T{_Smi}) T{bool} goto (5, 6)
 38: B5[target]:54
 40:     Branch if RelationalOp:60(<=, v8 T{int}, v35 T{_Smi}) T{bool} goto (7, 8)
 42: B7[target]:66
 44:     v17 <- BinaryInt64Op(- [tr], v8 T{int}, v35 T{_Smi}) [-9223372036854775808, 9223372036854775807] int64
 46:     v33 <- BoxInt64(v17 T{int}) [-9223372036854775808, 9223372036854775807] T{int}
 48:     igoto:(v33 T{int})
 50: B10[target]:80
 52:     v18 <- LoadField(v2 . exception {final}) T{MacroExceptionImpl??}
 54:     CheckNull:32(v18, CastError) T{MacroExceptionImpl?}
 56:     MoveArgument(sp[1] <- v18 T{MacroExceptionImpl?})
 58:     MoveArgument(sp[0] <- v3)
 60:     StaticCall:34( serialize<0> v18 T{MacroExceptionImpl?}, v3, using unchecked entrypoint)
 62:     ParallelMove  goto:40 B3
 64: B8[target]:68
 66:     ParallelMove  goto:70 B4
 68: B6[target]:56
 70:     ParallelMove  goto:58 B4
 72: B4[join]:46 pred(B6, B8)
 74:     v14 <- LoadField(v2 . response {final}) T{Serializable??}
 76:     MoveArgument(sp[1] <- v14)
 78:     MoveArgument(sp[0] <- v3)
 80:     StaticCall:44( SerializeNullable|serializeNullable<0> v14, v3)
 82:     ParallelMove  goto:84 B3
 84: B3[join]:36 pred(B4, B10)
 86:     v15 <- LoadField(v2 . requestId {final}) [-9223372036854775808, 9223372036854775807] int64
 88:     v39 <- LoadClassId(<non-smi> v3) int64
 90:     MoveArgument(sp[1] <- v3)
 92:     MoveArgument(sp[0] <- v15) int64
 93:     ParallelMove a2 <- a0
 94:     DispatchTableCall( cid=v39 Serializer.addInt<0>, v3, v15)
 95:     ParallelMove a0 <- C
 96:     DartReturn:92(v0)
*** END CFG

log

The relevant flag seems to be the switch type. The register allocator sees an IndirectGotoInstr where it expects a GotoInstr.
@rmacnak-google rmacnak-google added area-vm Use area-vm for VM related issues, including code coverage, FFI, and the AOT and JIT backends. crash Process exits with SIGSEGV, SIGABRT, etc. An unhandled exception is not a crash. dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.) labels May 10, 2024
@mkustermann mkustermann assigned mraleph and unassigned mraleph May 14, 2024
copybara-service bot pushed a commit that referenced this issue May 15, 2024
@rmacnak-google
[vm, compiler] Account for IndirectGotoInstr with 1 successor in regi…
38d7d5d 
…ster allocation.

TEST=dartfuzz
Bug: #55686
Change-Id: I58f772d80063c0b44613224bf4eb3980d2d9e2b4
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/366067
Commit-Queue: Ryan Macnak <rmacnak@google.com>
Reviewed-by: Alexander Markov <alexmarkov@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-vm Use area-vm for VM related issues, including code coverage, FFI, and the AOT and JIT backends. crash Process exits with SIGSEGV, SIGABRT, etc. An unhandled exception is not a crash. dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mraleph @rmacnak-google