Skip to content

DartFuzz: Write-captured variables can't be promoted #42066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bkonyi opened this issue May 26, 2020 · 3 comments
Closed

DartFuzz: Write-captured variables can't be promoted #42066

bkonyi opened this issue May 26, 2020 · 3 comments
Assignees
@stereotype441
Labels
dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.) legacy-area-front-end Legacy: Use area-dart-model instead.

Comments

@bkonyi
Copy link
Contributor

bkonyi commented May 26, 2020

Reproduction commands:

dart runtime/tools/dartfuzz/dartfuzz.dart --fp --no-ffi --no-flat --seed 1618758001 fuzz.dart

DART_CONFIGURATION='DebugX64' DART_VM_FLAGS='--enable-asserts' pkg/vm/tool/precompiler2 --optimization_level=3 --use-slow-path --deterministic fuzz.dart snapshot

Stacktrace (full logs here):

Crash when compiling file:///b/s/w/it9KSnnR/dart_fuzzUTNBRC/fuzz.dart,
at character offset 1561828:
'package:_fe_analyzer_shared/src/flow_analysis/flow_analysis.dart': Failed assertion: line 1713 pos 12: '!writeCaptured || promotedTypes == null': Write-captured variables can't be promoted
#0      _AssertionError._doThrowNew (dart:core-patch/errors_patch.dart:42:39)
#1      _AssertionError._throwNew (dart:core-patch/errors_patch.dart:38:5)
#2      new VariableModel (package:_fe_analyzer_shared/src/flow_analysis/flow_analysis.dart:1713:12)
#3      VariableModel._identicalOrNew (package:_fe_analyzer_shared/src/flow_analysis/flow_analysis.dart:2166:18)
#4      VariableModel.restrict (package:_fe_analyzer_shared/src/flow_analysis/flow_analysis.dart:1816:12)
#5      FlowModel.restrict (package:_fe_analyzer_shared/src/flow_analysis/flow_analysis.dart:1337:60)
#6      _FlowAnalysisImpl.tryFinallyStatement_end (package:_fe_analyzer_shared/src/flow_analysis/flow_analysis.dart:2798:25)
#7      InferenceVisitor.visitTryStatement (package:front_end/src/fasta/kernel/inference_visitor.dart:5306:29)
#8      TryStatement.acceptInference (package:front_end/src/fasta/kernel/internal_ast.dart:300:20)
#9      TypeInferrerImpl.inferStatement (package:front_end/src/fasta/type_inference/type_inferrer.dart:3412:24)
#10     InferenceVisitor._visitStatements (package:front_end/src/fasta/kernel/inference_visitor.dart:284:20)
#11     InferenceVisitor.visitBlock (package:front_end/src/fasta/kernel/inference_visitor.dart:305:30)
#12     Block.accept (package:kernel/ast.dart:5463:43)
#13     TypeInferrerImpl.inferStatement (package:front_end/src/fasta/type_inference/type_inferrer.dart:3414:24)
#14     InferenceVisitor.visitTryStatement (package:front_end/src/fasta/kernel/inference_visitor.dart:5285:18)
#15     TryStatement.acceptInference (package:front_end/src/fasta/kernel/internal_ast.dart:300:20)
#16     TypeInferrerImpl.inferStatement (package:front_end/src/fasta/type_inference/type_inferrer.dart:3412:24)
#17     InferenceVisitor._visitStatements (package:front_end/src/fasta/kernel/inference_visitor.dart:284:20)
#18     InferenceVisitor.visitBlock (package:front_end/src/fasta/kernel/inference_visitor.dart:305:30)
#19     Block.accept (package:kernel/ast.dart:5463:43)
#20     TypeInferrerImpl.inferStatement (package:front_end/src/fasta/type_inference/type_inferrer.dart:3414:24)
#21     TypeInferrerImpl.inferFunctionBody (package:front_end/src/fasta/type_inference/type_inferrer.dart:1995:39)
#22     BodyBuilder.finishFunction (package:front_end/src/fasta/kernel/body_builder.dart:974:28)
#23     DietListener.listenerFinishFunction (package:front_end/src/fasta/source/diet_listener.dart:954:14)
#24     DietListener.buildFunctionBody (package:front_end/src/fasta/source/diet_listener.dart:992:7)
#25     DietListener._endClassMethod (package:front_end/src/fasta/source/diet_listener.dart:713:5)
#26     DietListener.endClassMethod (package:front_end/src/fasta/source/diet_listener.dart:664:5)
#27     Parser.parseMethod (package:_fe_analyzer_shared/src/parser/parser_impl.dart:3647:20)
#28     Parser.parseClassOrMixinOrExtensionMemberImpl (package:_fe_analyzer_shared/src/parser/parser_impl.dart:3394:15)
#29     Parser.parseClassOrMixinOrExtensionBody (package:_fe_analyzer_shared/src/parser/parser_impl.dart:3087:15)
#30     Parser.parseClass (package:_fe_analyzer_shared/src/parser/parser_impl.dart:1836:13)
#31     Parser.parseClassOrNamedMixinApplication (package:_fe_analyzer_shared/src/parser/parser_impl.dart:1794:14)
#32     Parser.parseTopLevelKeywordDeclaration (package:_fe_analyzer_shared/src/parser/parser_impl.dart:578:14)
#33     Parser.parseTopLevelDeclarationImpl (package:_fe_analyzer_shared/src/parser/parser_impl.dart:474:14)
#34     Parser.parseUnit (package:_fe_analyzer_shared/src/parser/parser_impl.dart:354:15)
#35     SourceLoader.buildBody (package:front_end/src/fasta/source/source_loader.dart:350:14)
<asynchronous suspension>
#36     Loader.buildBodies (package:front_end/src/fasta/loader.dart:233:15)
#37     KernelTarget.buildComponent.<anonymous closure> (package:front_end/src/fasta/kernel/kernel_target.dart:357:20)
#38     withCrashReporting (package:front_end/src/fasta/crash.dart:122:24)
#39     KernelTarget.buildComponent (package:front_end/src/fasta/kernel/kernel_target.dart:355:12)
#40     generateKernelInternal.<anonymous closure> (package:front_end/src/kernel_generator_impl.dart:140:38)
<asynchronous suspension>
#41     generateKernelInternal.<anonymous closure> (package:front_end/src/kernel_generator_impl.dart)
#42     withCrashReporting (package:front_end/src/fasta/crash.dart:122:24)
#43     generateKernelInternal (package:front_end/src/kernel_generator_impl.dart:70:10)
#44     kernelForProgramInternal.<anonymous closure> (package:front_end/src/api_prototype/kernel_generator.dart:61:35)
#45     CompilerContext.runWithOptions.<anonymous closure> (package:front_end/src/fasta/compiler_context.dart:135:20)
<asynchronous suspension>
#46     CompilerContext.runWithOptions.<anonymous closure> (package:front_end/src/fasta/compiler_context.dart)
#47     CompilerContext.runInContext.<anonymous closure>.<anonymous closure> (package:front_end/src/fasta/compiler_context.dart:123:46)
#48     new Future.sync (dart:async/future.dart:224:31)
#49     CompilerContext.runInContext.<anonymous closure> (package:front_end/src/fasta/compiler_context.dart:123:19)
#50     _rootRun (dart:async/zone.dart:1184:13)
#51     _CustomZone.run (dart:async/zone.dart:1077:19)
#52     _runZoned (dart:async/zone.dart:1619:10)
#53     runZoned (dart:async/zone.dart:1539:10)
#54     CompilerContext.runInContext (package:front_end/src/fasta/compiler_context.dart:122:12)
#55     CompilerContext.runWithOptions (package:front_end/src/fasta/compiler_context.dart:133:10)
#56     kernelForProgramInternal (package:front_end/src/api_prototype/kernel_generator.dart:60:32)
#57     kernelForProgram (package:front_end/src/api_prototype/kernel_generator.dart:52:17)
#58     compileToKernel (package:vm/kernel_front_end.dart:349:41)
#59     runCompiler (package:vm/kernel_front_end.dart:252:25)
#60     compile (file:///b/s/w/ir/pkg/vm/bin/gen_kernel.dart:39:10)
#61     main (file:///b/s/w/ir/pkg/vm/bin/gen_kernel.dart:34:25)
#62     _startIsolate.<anonymous closure> (dart:isolate-patch/isolate_patch.dart:299:32)
#63     _RawReceivePortImpl._handleMessage (dart:isolate-patch/isolate_patch.dart:168:12)
@bkonyi bkonyi added legacy-area-front-end Legacy: Use area-dart-model instead. dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.) labels May 26, 2020
@stereotype441
Copy link
Member

This no longer reproduces. @bkonyi is there a good way to retrieve the problematic source code the fuzzer found, so I can double check that the issue is truly fixed?

@stereotype441 stereotype441 added the needs-info We need additional information from the issue author (auto-closed after 14 days if no response) label Jul 6, 2020
@bkonyi
Copy link
Contributor Author

bkonyi commented Jul 6, 2020

This no longer reproduces. @bkonyi is there a good way to retrieve the problematic source code the fuzzer found, so I can double check that the issue is truly fixed?

Yes, you can checkout 3fb5f27d055404e7027b3623a17b295c12837dd4 and regenerate the reproduction case to ensure that you're able to reproduce.

However, it appears that this does reproduce as we're seeing a similar failure from last night's fuzzer runs: https://logs.chromium.org/logs/dart/buildbucket/cr-buildbucket.appspot.com/8875558953637989616/+/steps/make_a_fuzz_shard_84/0/logs/task_stdout_stderr:_make_a_fuzz_shard_84/0

@no-response no-response bot removed the needs-info We need additional information from the issue author (auto-closed after 14 days if no response) label Jul 6, 2020
@stereotype441 stereotype441 self-assigned this Jul 7, 2020
@stereotype441
Copy link
Member

Ok, I've got a repro that I think is pretty minimal:

f() {
  int par2;
  par2 = 0;
  try {
  } catch (exception) {
    throw 'x';
    (){
      par2 = 1;
    };
  } finally {}
}

I'm now investigating why this causes an assertion failure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stereotype441 stereotype441

Labels
dartfuzz Found with Dart fuzzing (DartFuzz, libFuzzer, etc.) legacy-area-front-end Legacy: Use area-dart-model instead.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stereotype441 @bkonyi