result == fixed_size + (stack_slots * kPointerSize) - StandardFrameConstants::kF |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5079875452403712 Fuzzer: mbarbella_js_mutation Job Type: linux_v8_d8_tot Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: result == fixed_size + (stack_slots * kPointerSize) - StandardFrameConstants::kF Regressed: V8: r34206:34211 Minimized Testcase (0.36 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97tbfrX_J0hmTuGFmvETvF6gPqgwpQLi_DtMni-KoG_rkgU3ZrheVUTbGRMjWJYFWaxaLjUvpRnzh01NVf49zyeDkC1B_yUi_sYsW6mZd57anQ7Y9ZCcONClI48fjVVDVSguV7HdPWZSqj1va9-EJUuKBIFeg var __v_13 = {}; __v_2 = 100000; __v_4 = [null]; function __f_3(__v_0) { return __v_4[(__v_0 / __v_2) | 0]; } function __f_2() { for (var __v_0 = 0; __v_0 < 2 * __v_2; __v_0++) { null == __f_3(__v_0) && __v_1++; } } try { __f_2(); } catch(e) {; } __v_4 = __v_13; __v_4[0] = 1.5; var __v_8 = new Proxy({}, { }); function __f_11() { __f_2(); } __f_11(); Filer: machenbach See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 7 2016
,
Mar 8 2016
Bisected to 59ba2a8f34dfbeeb5625757f190df5720d3a8c4b [turbofan] Initial support for keyed access to holey elements. Smallest repro: out/x64.debug/d8 test.js --turbo --always-opt --trace-opt --trace-turbo-inlining --trace-osr --trace-deopt --turbo-filter=f1 ===== test.js ===== var v2 = 100000; var v4 = []; function f2() { for (var v0 = 0; v0 < 2 * v2; v0++) { (null == v4[(v0 / v2) | 0]) && ~v1; } } try { f2(); } catch(e) {} v4[0] = 1.5; function f1() { f2(); } try { f1(); } catch (e) {}
,
Mar 9 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/69c84fe460ee20cd16923aa2a20058a998086322 commit 69c84fe460ee20cd16923aa2a20058a998086322 Author: jarin <jarin@chromium.org> Date: Wed Mar 09 12:35:38 2016 [turbofan] Fix deoptimization stack layout for fast literal comparisons. BUG= chromium:592341 LOG=n Review URL: https://codereview.chromium.org/1776013002 Cr-Commit-Position: refs/heads/master@{#34615} [modify] https://crrev.com/69c84fe460ee20cd16923aa2a20058a998086322/src/compiler/ast-graph-builder.cc [modify] https://crrev.com/69c84fe460ee20cd16923aa2a20058a998086322/src/compiler/ast-graph-builder.h [add] https://crrev.com/69c84fe460ee20cd16923aa2a20058a998086322/test/mjsunit/regress/regress-592341.js
,
Mar 10 2016
ClusterFuzz has detected this issue as fixed in range 34607:34639. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5079875452403712 Fuzzer: mbarbella_js_mutation Job Type: linux_v8_d8_tot Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: result == fixed_size + (stack_slots * kPointerSize) - StandardFrameConstants::kF Regressed: V8: r34206:34211 Fixed: V8: r34607:34639 Minimized Testcase (0.36 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97tbfrX_J0hmTuGFmvETvF6gPqgwpQLi_DtMni-KoG_rkgU3ZrheVUTbGRMjWJYFWaxaLjUvpRnzh01NVf49zyeDkC1B_yUi_sYsW6mZd57anQ7Y9ZCcONClI48fjVVDVSguV7HdPWZSqj1va9-EJUuKBIFeg var __v_13 = {}; __v_2 = 100000; __v_4 = [null]; function __f_3(__v_0) { return __v_4[(__v_0 / __v_2) | 0]; } function __f_2() { for (var __v_0 = 0; __v_0 < 2 * __v_2; __v_0++) { null == __f_3(__v_0) && __v_1++; } } try { __f_2(); } catch(e) {; } __v_4 = __v_13; __v_4[0] = 1.5; var __v_8 = new Proxy({}, { }); function __f_11() { __f_2(); } __f_11(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 11 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by machenb...@chromium.org
, Mar 7 2016