!is_bottommost || stack_fp_ == fp_value in src/deoptimizer.cc |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5723976604581888 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !is_bottommost || stack_fp_ == fp_value in src/deoptimizer.cc Regressed: V8: r34609:34610 Minimized Testcase (0.33 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv973kiWzCdMHRX9h_1wD-EckPnk3wZR2MKtivo9AzUcEe-PyQgv1r5QOJfX_c2yrxzQFzMNOA04M68-UTQlUYMCWBg9fwEVaci1oiNEvWatZVIPRJDb2Oq4-NXvPyrKi-ihsCLRn2kpTpybMhj6_g8Go6A13rw (function() { 'use strict'; var __v_1 = { deopt:true }; var __v_0 = {}; __v_0.a = function __f_0() { return this.b(1, 2, 3, 4, 5, 6, 7, 8); }; __v_0.b = function __f_5(a, b, c, d, e, f, g, h) { __v_1.deopt; }; __v_0.a(); __v_0.a(); %OptimizeFunctionOnNextCall(__v_0.a); delete __v_1.deopt; __v_0.a(); })(); Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 10 2016
,
Mar 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/690c7a854a9673ea6459e3da7db9bc0818d5ba82 commit 690c7a854a9673ea6459e3da7db9bc0818d5ba82 Author: ishell <ishell@chromium.org> Date: Fri Mar 11 11:40:18 2016 [turbofan] Avoid dereferencing empty handle when inlining a tail call. BUG= chromium:593697 ,v8:4698 LOG=N Review URL: https://codereview.chromium.org/1781303002 Cr-Commit-Position: refs/heads/master@{#34716} [modify] https://crrev.com/690c7a854a9673ea6459e3da7db9bc0818d5ba82/src/compiler/js-inlining.cc [add] https://crrev.com/690c7a854a9673ea6459e3da7db9bc0818d5ba82/test/mjsunit/regress/regress-crbug-593697-2.js
,
Mar 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/dd0e6ca04c14a5ff9fe26569255f98cebe6125fe commit dd0e6ca04c14a5ff9fe26569255f98cebe6125fe Author: ishell <ishell@chromium.org> Date: Fri Mar 11 12:32:40 2016 [deoptimizer] Removed asserts that do not hold in case of tail call elimination. These checks can fail if there bottommost function is a tail caller and the next function has different number of arguments than the bottommost one. BUG= chromium:593697 ,v8:4698 LOG=N Review URL: https://codereview.chromium.org/1785253003 Cr-Commit-Position: refs/heads/master@{#34718} [modify] https://crrev.com/dd0e6ca04c14a5ff9fe26569255f98cebe6125fe/src/deoptimizer.cc
,
Mar 11 2016
,
Mar 11 2016
ClusterFuzz has detected this issue as fixed in range 34715:34716. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6046147732307968 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: (location_) != nullptr in src/handles.h Regressed: V8: r34609:34610 Fixed: V8: r34715:34716 Minimized Testcase (0.18 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv952R6A019sY7YxqbxDC_7bAqX8E2OoA_8GyK7uGr_bNrUTXyIZWrVe1QoDmjXjZ_a99e1LOlTqxUOf8QnmA2jBHlJZuOtLGk9jI9QRXXaXmLZMWTanRKhj8DHJBh4PxsWFO0rPa5V3TcGR8xMpbMV6zrJhGyA "use strict"; var __f_5 = (function __f_6(stdlib) { "use asm"; var __v_6 = stdlib.Math.cos; function __f_5() { return __v_6(); } return { __f_5: __f_5 }; })(this, {}).__f_5(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 12 2016
ClusterFuzz has detected this issue as fixed in range 34717:34718. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5723976604581888 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !is_bottommost || stack_fp_ == fp_value in src/deoptimizer.cc Regressed: V8: r34609:34610 Fixed: V8: r34717:34718 Minimized Testcase (0.33 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv973kiWzCdMHRX9h_1wD-EckPnk3wZR2MKtivo9AzUcEe-PyQgv1r5QOJfX_c2yrxzQFzMNOA04M68-UTQlUYMCWBg9fwEVaci1oiNEvWatZVIPRJDb2Oq4-NXvPyrKi-ihsCLRn2kpTpybMhj6_g8Go6A13rw (function() { 'use strict'; var __v_1 = { deopt:true }; var __v_0 = {}; __v_0.a = function __f_0() { return this.b(1, 2, 3, 4, 5, 6, 7, 8); }; __v_0.b = function __f_5(a, b, c, d, e, f, g, h) { __v_1.deopt; }; __v_0.a(); __v_0.a(); %OptimizeFunctionOnNextCall(__v_0.a); delete __v_1.deopt; __v_0.a(); })(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Mar 10 2016