Change theme
Help
Press space for more information.
Show links for this issue (Shortcut: i, l)
Copy issue ID
Previous Issue (Shortcut: k)
Next Issue (Shortcut: j)
Sign in to use full features.
Vote: I am impacted
Notification menu
Refresh (Shortcut: Shift+r)
Go home (Shortcut: u)
Use Markdown for this comment
Set severity, which reflects how much the issue affects the use of the product
Assign issue to yourself
Pending code changes (auto-populated)
Tracks the current rank of this item in the teams backlog [ID: 1225362]
Build number, such as 117.0.5911.2 [ID: 1223033]
[ID: 1223031]
Blink>JavaScript
Select items in the list
Supplemental component tags only. Set main component first. [ID: 1222907]
[ID: 1223136]
he CWE ID for the type of security defect the current issue is describing. [ID: 1410892]
Design doc to be reviewed. [ID: 1223032]
[ID: 1223131]
How many engineer days the task is estimated to take. [ID: 1225337]
[ID: 1223081]
[ID: 1223087]
[ID: 1223134]
Milestone(s) impacted by this issue. [ID: 1223085]
Date of next expected progress update or deadline for providing requested information. [ID: 1225154]
[ID: 1223083]
[ID: 1223084]
[ID: 1223086]
[ID: 1223034]
Link to incidents in IRM as a result of this ticket. [ID: 1300460]
[ID: 1223088]
[ID: 1223135]
This field contains Gerrit urls of code changes that ‘fix’ a security bug (i.e., excluding logging/cleanup commits) and is used when a singular fix cannot be uniquely identified from the existing “Code Changes” field. The change can be in the chromium repo or any other third_party repo. [ID: 1358989]
[ID: 1305533]
Size : Average days
XS : 1
S : 2
M : 3
L : 5
XL : 8 [ID: 1314202]
Set the version(s) of the product affected by this issue (comma-separated list)
Set the version(s) of the product in which the issue should be fixed (comma-separated list)
Set the version(s) of the product in which the issue fix was verified (comma-separated list)
Set if this issue occurs in production
Blink
[ID: 1253656]
Set Reporter
Set Type
Set priority, which reflects how soon the issue should be fixed
Set Status
Set Assignee
Set Verifier
Remove item
View or edit staffing
View issue level access limits(Press Alt + Right arrow for more information)
Attachment actions
Description
OS: Ubuntu Linux 22.04 LTS
What steps will reproduce the problem?
(1) Compile V8 fuzzilli builds with --args='is_debug=false dcheck_always_on=true v8_static_library=true v8_enable_verify_heap=true v8_fuzzilli=true sanitizer_coverage_flags="trace-pc-guard" target_cpu="x64"'
(2) Run the V8 shell d8 binary
What is the expected result?
No crash on startup
What happens instead?
Crash on startup
Compiling V8 fuzzilli builds with --args='v8_enable_partition_alloc=false is_debug=false dcheck_always_on=true v8_static_library=true v8_enable_verify_heap=true v8_fuzzilli=true sanitizer_coverage_flags="trace-pc-guard" target_cpu="x64"'
make the crash go away.
dcea6553b431-98877
dcea6553b431fd9f1a65d410e9baa66b569da25d is the first bad commit
commit dcea6553b431fd9f1a65d410e9baa66b569da25d
Author: Arthur Sonzogni <arthursonzogni@chromium.org>
Date: Sat Feb 22 20:28:29 2025 +0000
Use partition_alloc in D8.
In V8 standalone, the CLI runner currently uses the default memory
allocator. To achieve benchmark results closer to in-browser behavior,
we need to add support for using the partition_alloc as an optional
memory allocator. This will allow benchmarking scenarios that more
accurately reflect behaviors inside Chrome.
Usage:
v8_enable_partition_alloc = true
It is enabled by default in standalone V8.
Bug:
Change-Id: Id5948abc50f4256e42a0b2f203e8b06a4babec1a
Reviewed-on:
Auto-Submit: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#98877}
Part of debug stack:
```
Program received signal SIGSEGV, Segmentation fault.
0x000055555844845c in __sanitizer_cov_trace_pc_guard () at ../../../trees/v8/src/fuzzilli/cov.cc:108
108 ../../../trees/v8/src/fuzzilli/cov.cc: No such file or directory.
(gdb) bt
#0 0x000055555844845c in __sanitizer_cov_trace_pc_guard () at ../../../trees/v8/src/fuzzilli/cov.cc:108
#1 0x000055555a026a0a in malloc () at ../../../trees/v8/third_party/partition_alloc/src/partition_alloc/shim/allocator_shim_override_libc_symbols.h:39
#2 0x00007ffff7fc7cca in malloc (size=155) at ../include/rtld-malloc.h:56
#3 __GI__dl_exception_create_format (exception=exception@entry=0x7fffffffd830, objname=0x7fffffffdf12 "/home/i32g7900a/shell-cache/v8-dbg-64-fzli-linux-x86_64-6cb5d344ed12-99019/v8-dbg-64-fzli-linux-x86_64-6cb5d344ed12-99019", fmt=fmt@entry=0x7ffff7ff0eb4 "undefined symbol: %s%s%s") at ./elf/dl-exception.c:157
#4 0x00007ffff7fcf3dc in _dl_lookup_symbol_x (undef_name=0x555555845d77 "swift_demangle", undef_map=0x7ffff7ffe2e0, ref=0x7fffffffd8a8, symbol_scope=<optimized out>, version=0x0, type_class=0, flags=3, skip_map=0x0) at ./elf/dl-lookup.c:877
#5 0x00007ffff7d75954 in do_sym (flags=2, vers=0x0, who=0x555555e74934 <LateInitialize()+20>, name=0x555555845d77 "swift_demangle", handle=<optimized out>) at ./elf/dl-sym.c:146
```