Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dartfuzz: Invalid shift #56947

Closed
rmacnak-google opened this issue Oct 23, 2024 · 4 comments
Closed

dartfuzz: Invalid shift #56947

rmacnak-google opened this issue Oct 23, 2024 · 4 comments
Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.) type-bug Incorrect behavior (everything from a crash to more subtle misbehavior)

Comments

@rmacnak-google
Copy link
Contributor 

import 'dart:typed_data';

Int16List var11 = Int16List(33);
List<bool> var79 = <bool>[true, false];
Map<int, bool> var109 = <int, bool>{-74: true, -72: false, 34: true};

main() {
  if (var79[-9223372034707292160]) {
    switch (

            (var109[var11[-9223372034707292160]]!
            ? 100
            : 200) <<
        (~9223372034707292159)) {}
  }
}
DART_CONFIGURATION='DebugX64' DART_VM_FLAGS='--enable-asserts' pkg/vm/tool/precompiler2 --optimization_level=3 fuzz.dart snapshot
../../runtime/vm/compiler/backend/il_x64.cc: 6003: error: expected: shift >= 0
version=3.7.0-edge (main) (Unknown timestamp) on "linux_x64"
pid=2673627, thread=2673627, isolate_group=isolate(0x55d1df5e3820), isolate=(nil)((nil))
os=linux, arch=x64, comp=no, sim=no
isolate_instructions=0, vm_instructions=0
fp=7ffe023766d0, sp=7ffe023765a0, pc=55d1cb4caf1c
  pc 0x000055d1cb4caf1c fp 0x00007ffe023766d0 dart::Profiler::DumpStackTrace+0x7c
  pc 0x000055d1cb20f214 fp 0x00007ffe023767b0 dart::Assert::Fail+0x84
  pc 0x000055d1cb993909 fp 0x00007ffe023767f0 dart::EmitShiftInt64ByConstant+0x169
  pc 0x000055d1cb9934fb fp 0x00007ffe02376840 dart::ShiftInt64OpInstr::EmitNativeCode+0xeb
  pc 0x000055d1cb904239 fp 0x00007ffe023769b0 dart::FlowGraphCompiler::VisitBlocks+0x4c9
  pc 0x000055d1cb903c9e fp 0x00007ffe023769e0 dart::FlowGraphCompiler::CompileGraph+0x2e
  pc 0x000055d1cba06550 fp 0x00007ffe023769f0 dart::CompilerPass_GenerateCode::DoBody+0x10
  pc 0x000055d1cba049b3 fp 0x00007ffe02376ac0 dart::CompilerPass::Run+0x1a3
  pc 0x000055d1cb8a6c02 fp 0x00007ffe02377240 dart::PrecompileParsedFunctionHelper::Compile+0x5f2
  pc 0x000055d1cb8a77f2 fp 0x00007ffe02377b00 dart::PrecompileFunctionHelper+0x372
  pc 0x000055d1cb8a21aa fp 0x00007ffe02377c10 dart::Precompiler::CompileFunction+0x19a
  pc 0x000055d1cb8a0bac fp 0x00007ffe02377cb0 dart::Precompiler::ProcessFunction+0x18c
  pc 0x000055d1cb89b394 fp 0x00007ffe02377d00 dart::Precompiler::Iterate+0x94
  pc 0x000055d1cb897d1b fp 0x00007ffe023786a0 dart::Precompiler::DoCompileAll+0x18db
  pc 0x000055d1cb896390 fp 0x00007ffe02378b20 dart::Precompiler::CompileAll+0xb0
  pc 0x000055d1cbaf1f6a fp 0x00007ffe02378d10 Dart_Precompile+0x1aa
  pc 0x000055d1cb1e08c0 fp 0x00007ffe02378e70 dart::bin::main+0x880
-- End of DumpStackTrace
=== Crash occurred when compiling file:///usr/local/google/home/rmacnak/dart1/sdk/fuzz.dart_::_main_main in AOT mode in GenerateCode pass
=== When compiling block B8[join]:24 pred(B17, B18) {
      v61 <- phi(v0 T{Null?}, v59) alive T{Object??}
}
=== When compiling instruction v22 <- ShiftInt64Op(<< [tr], v80 T{_Smi}, v46 T{_Mint}) [-9223372036854775808, 9223372036854775807] int64
*** BEGIN CFG
GenerateCode
==== file:///usr/local/google/home/rmacnak/dart1/sdk/fuzz.dart_::_main_main (ImplicitClosureFunction)
  0: B0[graph]:0 {
      v0 <- Constant(#null) T{Null?}
      v43 <- Constant(#true) T{bool}
      v46 <- UnboxedConstant(#-9223372034707292160) [-9223372034707292160, -9223372034707292160] int64
}
  2: B2[function entry]:2 {
      v2 <- Parameter(0 @fp[2]) T{*?}
}
  4:     CheckStackOverflow:8(stack=0, loop=0)
  6:     v64 <- LoadStaticField:4(var79, CallsInitializer) T{_GrowableList}
  7:     ParallelMove rcx <- rax
  8:     v24 <- LoadField(v64 . GrowableObjectArray.length) [0, 576460752303423487] T{_Smi}
 10:     v75 <- UnboxInt64([non-speculative], v24) [v24, v24] int64
 11:     ParallelMove rax <- rax, rbx <- C
 12:     GenericCheckBound:16(v75 T{_Smi}, v46 T{_Mint}) int64
 14:     v26 <- LoadField(v64 . GrowableObjectArray.data) T{_List}
 15:     ParallelMove rbx <- C
 16:     v81 <- LoadIndexed:16([_List] v26, v46 T{_Mint}) T{bool}
 18:     Branch if StrictCompare:18(===, v81 T{bool}, v43 T{bool}) goto (5, 9)
 20: B5[target]:22
 22:     v49 <- LoadStaticField:4(var109, CallsInitializer) T{_Map}
 24:     ParallelMove fp[-1] <- rax
 24:     v52 <- LoadStaticField:4(var11, CallsInitializer) T{_Int16List}
 25:     ParallelMove rcx <- rax
 26:     v28 <- LoadField(v52 . TypedDataBase.length {final}) [0, 4611686018427387903] T{_Smi}
 28:     v77 <- UnboxInt64([non-speculative], v28) [v28, v28] int64
 29:     ParallelMove rax <- rax, rbx <- C
 30:     GenericCheckBound:30(v77 T{_Smi}, v46 T{_Mint}) [0, 4611686018427387903] int64
 31:     ParallelMove rax <- C
 32:     v82 <- LoadIndexed:30([_Int16List] v52, v46 T{_Mint}) [-32768, 32767] int64
 34:     v79 <- BoxInt64(v82 T{_Smi}) [-32768, 32767] T{_Smi}
 35:     ParallelMove rdi <- fp[-1], rsi <- rsi
 36:     v59 <- StaticCall:12( _getValueOrData@3099033<0> v49 T{_Map}, v79 T{_Smi}, using unchecked entrypoint) T{Object??}
 37:     ParallelMove rax <- rax, rcx <- fp[-1]
 38:     v69 <- LoadField(v49 T{_Map} . LinkedHashBase.data) T{_List}
 40:     Branch if StrictCompare:16(===, v69 T{_List}, v59) goto (17, 18)
 42: B17[target]:20
 44:     ParallelMove rcx <- C goto:26 B8
 46: B18[target]:22
 48:     ParallelMove rcx <- rax goto:28 B8
 50: B8[join]:24 pred(B17, B18) {
      v61 <- phi(v0 T{Null?}, v59) alive T{Object??}
}
 52:     CheckNull:34(v61 T{bool?}, CastError) T{bool}
 54:     v70 <- IfThenElse(===, v61 T{bool}, v43 ? 100 : 200) [100, 200] T{_Smi}
 56:     v80 <- UnboxInt64([non-speculative], v70 T{_Smi}) [100, 200] int64
 58:     v22 <- ShiftInt64Op(<< [tr], v80 T{_Smi}, v46 T{_Mint}) [-9223372036854775808, 9223372036854775807] int64
 60:     ParallelMove  goto:58 B10
 62: B9[target]:54
 64:     ParallelMove  goto:60 B10
 66: B10[join]:56 pred(B8, B9)
 67:     ParallelMove rax <- C
 68:     DartReturn:12(v0)
*** END CFG
@rmacnak-google rmacnak-google added area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.) labels Oct 23, 2024
@rmacnak-google
Copy link
Contributor Author

log

@lrhn lrhn added the type-bug Incorrect behavior (everything from a crash to more subtle misbehavior) label Oct 23, 2024
@rmacnak-google
Copy link
Contributor Author 

v46 <- UnboxedConstant(#-9223372034707292160) [-9223372034707292160, -9223372034707292160] int64
v25 <- GenericCheckBound:16(v75 T{_Smi}, v46 T{_Mint}) int64
v29 <- GenericCheckBound:30(v77 T{_Smi}, v25 T{_Mint}) [0, 4611686018427387903] int64
v22 <- ShiftInt64Op(<< [tr], v80 T{_Smi}, v29 T{_Mint}) [-9223372036854775808, 9223372036854775807] int64  shift-range=[0, 4611686018427387903]

FinalizeGraph

v46 <- UnboxedConstant(#-9223372034707292160) [-9223372034707292160, -9223372034707292160] int64
GenericCheckBound:16(v75 T{_Smi}, v46 T{_Mint}) int64
GenericCheckBound:30(v77 T{_Smi}, v46 T{_Mint}) [0, 4611686018427387903] int64
v22 <- ShiftInt64Op(<< [tr], v80 T{_Smi}, v46 T{_Mint}) [-9223372036854775808, 9223372036854775807] int64 shift-range=[0, 4611686018427387903]

FinalizeGraph flattens out the redefinitions, and the unreachable shift's shamt definition and range become contradictory.

@rmacnak-google
Copy link
Contributor Author

LICM introduced the connection to the bounds check.

v22 <- ShiftInt64Op(<< [tr], v80 T{_Smi}, v46 T{_Mint}) int64
=>
v22 <- ShiftInt64Op(<< [tr], v80 T{_Smi}, v29 T{_Mint}) int64

@rmacnak-google
Copy link
Contributor Author

https://dart-review.googlesource.com/c/sdk/+/391682

copybara-service bot pushed a commit that referenced this issue Oct 29, 2024
@rmacnak-google
[vm, compiler] Don't introduce spurious connections to check bounds i…
2a4a7d9 
…nstructions during LICM.

TEST=dartfuzz
Bug: #56947
Change-Id: Icf593c246f226dd9d8d8b6b055122f8b567be35e
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/391682
Reviewed-by: Alexander Markov <[email protected]>
Commit-Queue: Ryan Macnak <[email protected]>
copybara-service bot pushed a commit that referenced this issue Oct 29, 2024
@rmacnak-google
[vm, compiler] Handle invalid shift amount during code generation by …
c2c8a98 
…emitting a break instead of asserting.

The compiler sometimes fails to remove unreachable IL instructions, and such instructions can have contradictory range information.

TEST=dartfuzz
Bug: #56947
Change-Id: I435019ea87804fdb649e7ff8cee855d08be24019
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/392403
Commit-Queue: Ryan Macnak <[email protected]>
Reviewed-by: Alexander Markov <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.) type-bug Incorrect behavior (everything from a crash to more subtle misbehavior)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lrhn @rmacnak-google