Issue metadata
Sign in to add a comment
|
Crash in v8::internal::MarkCompactMarkingVisitor::MarkObjectByPointer |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5307162661748736 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: UNKNOWN Crash Address: 0xcc800004 Crash State: v8::internal::MarkCompactMarkingVisitor::MarkObjectByPointer v8::internal::FixedBodyVisitor<v8::internal::MarkCompactMarkingVisitor, v8::inte v8::internal::MarkCompactCollector::EmptyMarkingDeque Regressed: V8: r34761:34762 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94CHZOTkcMgXd7E-R_bremHLPA8V2D02Rs4OGAeXvb518jDMI8oy124uyUYLI82k2PlffNBxy6dbPlzwD-dCjor6tvfYds13CdYN5UDkar_xjnxOmkfTkw4cJCt9c_6Tzwpll1TysAniSRF2kyjIim3Wleoz47mG7VgjC5IUCB4U_DQUIA Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 15 2016
,
Mar 16 2016
,
Mar 16 2016
Looks like a missed write barrier in generated code. [6930:0x28f4b10] Added black page 0x59fef700000 Hardware watchpoint 1: *0x59fef704868 Old value = -1095909649 New value = -1940787783 0x0000338347221e17 in ?? () (gdb) bt #0 0x0000338347221e17 in ?? () #1 0xbeefdeadbeefdeef in ?? () #2 0xbeefdeadbeefdeef in ?? () #3 0x000018c300000000 in ?? () #4 0x00003f417a2b18f9 in ?? () .... ... 0x338347221e09 2825 49bab9ed518c18070000 REX.W movq r10,0x7188c51edb9 ;; object: 0x7188c51edb9 <String[13]: , "field2" : > 0x338347221e13 2835 4c89511f REX.W movq [rcx+0x1f],r10 0x338347221e17 2839 e903000000 jmp 2847 (0x338347221e1f) ...
,
Mar 16 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5085273813155840 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x000000000000 Crash State: v8::internal::StackFrameIterator::StackFrameIterator v8::internal::Isolate::PrintStack v8::internal::Isolate::StackTraceString Regressed: V8: r34761:34762 Minimized Testcase (6.58 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97bxYi0NHeVy1c14uwTwmFTTOpx-CURELGT_Sh1Y3k-oyze97nBLp0UwLtPfWq7qqHOdPF7qmw1pXz_jnx4HNwtLkjVJruqN_Dpgu0ttrK6Ic0EOlKQZkizEL0EF4ur2zV8pf8rZMgA3Ji2ckFDNK3ovMxM5g Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 16 2016
$1 = void (gdb) job 0x59fef73d031 #, "field2" : $2 = void (gdb) x/10xg 0x59fef73d030 0x59fef73d030: 0x00002ca76d004261 0x0000000008c4bc7e 0x59fef73d040: 0x0000000d00000000 0x646c65696622202c 0x59fef73d050: 0xdeadbe203a202232 0x00002ca76d004261 0x59fef73d060: 0x00000000c75e94ca 0x0000000200000000 0x59fef73d070: 0xdeadbeedbead5d7d 0x00002ca76d004209 (gdb) job 0x00002ca76d004261 0x2ca76d004261: [Map] - type: ONE_BYTE_INTERNALIZED_STRING_TYPE - instance size: 0 - elements kind: FAST_HOLEY_ELEMENTS - unused property fields: 0 - enum length: invalid - stable_map - back pointer: 0x3f417a204201 <undefined> - instance descriptors (own) #0: 0x3f417a204131 <FixedArray[0]> - layout descriptor: 0 - prototype: 0x3f417a204101 <null> - constructor: 0x3f417a204101 <null> - code cache: 0x3f417a204141 <FixedArray[0]> - dependent code: 0x3f417a204141 <FixedArray[0]> - construction counter: 0
,
Mar 16 2016
Addresses changed in #6 0x338347221e09 2825 49ba31d073ef9f050000 REX.W movq r10,0x59fef73d031 ;; object: 0x59fef73d031 <String[13]: , "field2" : > 0x338347221e13 2835 4c89511f REX.W movq [rcx+0x1f],r10
,
Mar 16 2016
x/10xg 0x726a9104848 0x726a9104848: 0x00002ca76d005021 0xdeadbeed00000003 0x726a9104858: 0x0000001e00000000 0x00000726a9104821 0x726a9104868: 0x0000059fef73d031 0xdeadbeedbeadbeef 0x726a9104878: 0xdeadbeedbeadbeef 0xdeadbeedbeadbeef 0x726a9104888: 0xdeadbeedbeadbeef 0xdeadbeedbeadbeef (gdb) job 0x00002ca76d005021 0x2ca76d005021: [Map] - type: CONS_ONE_BYTE_STRING_TYPE - instance size: 40 - elements kind: FAST_HOLEY_ELEMENTS - unused property fields: 0 - enum length: invalid - back pointer: 0x3f417a204201 <undefined> - instance descriptors (own) #0: 0x3f417a204131 <FixedArray[0]> - layout descriptor: 0 - prototype: 0x3f417a204101 <null> - constructor: 0x3f417a204101 <null> - code cache: 0x3f417a204141 <FixedArray[0]> - dependent code: 0x3f417a204141 <FixedArray[0]> - construction counter: 0 $6 = void
,
Mar 16 2016
0x726a9104849 is a CONS_ONE_BYTE_STRING_TYPE and lives on a black page. Write 0x0000059fef73d031 does not come with a write barrier in generated code.
,
Mar 16 2016
0x726a9104849 is on a black page but crankshaft write barrier elimination decides to not emit write barriers because storing value is a cons strings. The cons string is on an evacuation candidate, slot does not get recorded, and we do not update the value after compaction.
,
Mar 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/ddb9707db95a98a63db223c6c3c4e860cb30e250 commit ddb9707db95a98a63db223c6c3c4e860cb30e250 Author: hpayer <hpayer@chromium.org> Date: Wed Mar 16 14:39:35 2016 Emit write barrier for old space constants. Tenured objects allocated on black pages require write barriers. BUG= chromium:594958 LOG=n Review URL: https://codereview.chromium.org/1811473002 Cr-Commit-Position: refs/heads/master@{#34818} [modify] https://crrev.com/ddb9707db95a98a63db223c6c3c4e860cb30e250/src/crankshaft/hydrogen-instructions.h
,
Mar 16 2016
ClusterFuzz has detected this issue as fixed in range 34804:34805. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5085273813155840 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x000000000000 Crash State: v8::internal::StackFrameIterator::StackFrameIterator v8::internal::Isolate::PrintStack v8::internal::Isolate::StackTraceString Regressed: V8: r34761:34762 Fixed: V8: r34804:34805 Minimized Testcase (6.58 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97bxYi0NHeVy1c14uwTwmFTTOpx-CURELGT_Sh1Y3k-oyze97nBLp0UwLtPfWq7qqHOdPF7qmw1pXz_jnx4HNwtLkjVJruqN_Dpgu0ttrK6Ic0EOlKQZkizEL0EF4ur2zV8pf8rZMgA3Ji2ckFDNK3ovMxM5g See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 17 2016
ClusterFuzz has detected this issue as fixed in range 34804:34805. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5307162661748736 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: UNKNOWN Crash Address: 0xcc800004 Crash State: v8::internal::MarkCompactMarkingVisitor::MarkObjectByPointer v8::internal::FixedBodyVisitor<v8::internal::MarkCompactMarkingVisitor, v8::inte v8::internal::MarkCompactCollector::EmptyMarkingDeque Regressed: V8: r34761:34762 Fixed: V8: r34804:34805 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94CHZOTkcMgXd7E-R_bremHLPA8V2D02Rs4OGAeXvb518jDMI8oy124uyUYLI82k2PlffNBxy6dbPlzwD-dCjor6tvfYds13CdYN5UDkar_xjnxOmkfTkw4cJCt9c_6Tzwpll1TysAniSRF2kyjIim3Wleoz47mG7VgjC5IUCB4U_DQUIA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 17 2016
,
Mar 18 2016
Adding Merge-Triage label for tracking purposes. Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label. When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com. - Your friendly ClusterFuzz
,
Mar 23 2016
According to CF, regressed and fixed on trunk. No merge required.
,
Jun 24 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by habl...@google.com
, Mar 15 2016Status: Assigned (was: Available)