Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dartfuzz: Expected constant index to be Smi #56948

Closed
rmacnak-google opened this issue Oct 23, 2024 · 1 comment
Closed

dartfuzz: Expected constant index to be Smi #56948

rmacnak-google opened this issue Oct 23, 2024 · 1 comment
Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.) type-bug Incorrect behavior (everything from a crash to more subtle misbehavior)

Comments

@rmacnak-google
Copy link
Contributor 

import 'dart:typed_data';
import 'dart:io';

@pragma("vm:never-inline")
foo() {
  Int8List(28).fillRange(-19, 25, 9223372034707292160);
}

main() {
  try {
    foo();
  } catch (e, st) {
    print('foo throws');
  }

  sleep(Duration(seconds: 30)); // Let background compiler catch up.
}
out/ReleaseSIMARM/dart --optimization_counter_threshold=1 --old_gen_heap_size=128 fuzz2.dart
../../runtime/vm/compiler/runtime_api.cc: 978: error: expected: IsSmi(a)
version=3.7.0-edge (main) (Unknown timestamp) on "linux_simarm"
pid=2712723, thread=2712727, isolate_group=main(0x591e0d90), isolate=(nil)((nil))
os=linux, arch=arm, comp=no, sim=yes
isolate_instructions=58699be0, vm_instructions=58699be0
fp=f67fd178, sp=f67fd0e8, pc=589374fb
  pc 0x589374fb fp 0xf67fd178 dart::Profiler::DumpStackTrace+0x9b
  pc 0x58bab851 fp 0xf67fd198 Dart_DumpNativeStackTrace+0x21
  pc 0x58699dd6 fp 0xf67fd1c8 dart::Assert::Fail+0x36
  pc 0x589a8856 fp 0xf67fd1f8 dart::compiler::target::SmiValue+0x66
  pc 0x58a5e506 fp 0xf67fd318 dart::StoreIndexedInstr::EmitNativeCode+0x786
  pc 0x58a2c157 fp 0xf67fd478 dart::FlowGraphCompiler::VisitBlocks+0x537
  pc 0x58a2bbbf fp 0xf67fd4b8 dart::FlowGraphCompiler::CompileGraph+0x7f
  pc 0x58ae2f14 fp 0xf67fd4d8 dart::CompilerPass_GenerateCode::DoBody+0x24
  pc 0x58ae1bdd fp 0xf67fd588 dart::CompilerPass::Run+0x1ed
  pc 0x589a475a fp 0xf67fd9b8 dart::CompileParsedFunctionHelper::Compile+0x7aa
  pc 0x589a4ff7 fp 0xf67fde68 dart::CompileFunctionHelper+0x4b7
  pc 0x589a57e1 fp 0xf67fded8 dart::Compiler::CompileOptimizedFunction+0x101
  pc 0x589a5ffc fp 0xf67fe1f8 dart::BackgroundCompiler::Run+0x10c
  pc 0x589a66f4 fp 0xf67fe218 dart::BackgroundCompilerTask::Run+0x24
  pc 0x58993257 fp 0xf67fe2a8 dart::ThreadPool::WorkerLoop+0x137
  pc 0x5899352c fp 0xf67fe2e8 dart::ThreadPool::Worker::Main+0x7c
  pc 0x589340d7 fp 0xf67fe3b8 dart::ThreadStart+0xe7
  pc 0xf7c5f75d fp 0xf67fe428 /lib/i386-linux-gnu/libc.so.6+0x8975d
-- End of DumpStackTrace
=== Crash occurred when compiling file:///usr/local/google/home/rmacnak/dart1/sdk/fuzz2.dart_::_foo in optimizing JIT mode in GenerateCode pass
=== When compiling block B14[join]:82 pred(B13, B14) {
      v28 <- phi(v54 T{_Smi}, v31) alive [-19, -19] T{_Smi}
}
=== When compiling instruction StoreIndexed:80([_Int8List] v13 T{_Int8List}, v28 T{_Smi}, v46 T{_Mint}, NoStoreBarrier)
*** BEGIN CFG
GenerateCode
==== file:///usr/local/google/home/rmacnak/dart1/sdk/fuzz2.dart_::_foo (RegularFunction)
  0: B0[graph]:0 {
      v0 <- Constant(#null) T{Null?}
      v1 <- Constant(#<optimized out>) T{Sentinel~}
      v2 <- Constant(#28) [28, 28] T{_Smi}
      v6 <- Constant(#25) [25, 25] T{_Smi}
      v7 <- Constant(#9223372034707292160) [9223372034707292160, 9223372034707292160] T{_Mint}
      v45 <- Constant(#1) [1, 1] T{_Smi}
      v46 <- UnboxedConstant(#-2147483648) [-2147483648, -2147483648] int32
      v54 <- Constant(#-19) [-19, -19] T{_Smi}
}
  2: B13[function entry]:2
  4:     CheckStackOverflow:8(stack=0, loop=0)
  5:     ParallelMove r4 <- C
  6:     v13 <- AllocateTypedData:10(v2 T{_Smi}, <not-aliased>) T{_Int8List}
  8:     ParallelMove fp[-3] <- r0
  8:     MoveArgument(sp[2] <- v54 T{_Smi})
 10:     MoveArgument(sp[1] <- v6 T{_Smi})
 12:     MoveArgument(sp[0] <- v2 T{_Smi})
 14:     StaticCall:34( checkValidRange<0> v54 T{_Smi}, v6 T{_Smi}, v2 T{_Smi})
 16:     RecordCoverage()
 18:     ParallelMove r1 <- C, r0 <- fp[-3] goto:84 B14
 20: B14[join]:82 pred(B13, B14) {
      v28 <- phi(v54 T{_Smi}, v31) alive [-19, -19] T{_Smi}
}
 22:     CheckStackOverflow:88(stack=0, loop=1)
 24:     RecordCoverage()
 26:     RecordCoverage()
 28:     CheckArrayBound:80(v2 T{_Smi}, v28 T{_Smi}) T{_Smi}
 30:     ParallelMove r2 <- r1
 30:     StoreIndexed:80([_Int8List] v13 T{_Int8List}, v28 T{_Smi}, v46 T{_Mint}, NoStoreBarrier)
 32:     RecordCoverage()
 34:     v31 <- BinarySmiOp:78(+, v28 T{_Smi}, v45 T{_Smi}) T{_Smi}
 36:     ParallelMove r1 <- r2 goto:86 B14
*** END CFG

log
@rmacnak-google rmacnak-google added area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.) labels Oct 23, 2024
@lrhn lrhn added the type-bug Incorrect behavior (everything from a crash to more subtle misbehavior) label Oct 23, 2024
@rmacnak-google
Copy link
Contributor Author

https://dart-review.googlesource.com/c/sdk/+/391487

copybara-service bot pushed a commit that referenced this issue Oct 28, 2024
@rmacnak-google
[vm, compiler] Fix mismatch between ARM's StoreIndexedInstr::MakeLoca…
36da75d 
…tionSummary and EmitNativeCode.

TEST=dartfuzz
Bug: #56948
Change-Id: I7241071df2aedb34a88817896005eb0fdff674eb
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/391487
Reviewed-by: Alexander Markov <alexmarkov@google.com>
Commit-Queue: Ryan Macnak <rmacnak@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.) type-bug Incorrect behavior (everything from a crash to more subtle misbehavior)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lrhn @rmacnak-google