New issue
Advanced search Search tips

Issue 595615 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

*deopt_index != Safepoint::kNoDeoptimizationIndex in src/frames.cc

Project Member Reported by ClusterFuzz, Mar 17 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6544999918862336

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  *deopt_index != Safepoint::kNoDeoptimizationIndex in src/frames.cc
  
Regressed: V8: r34829:34830

Minimized Testcase (0.08 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97XYcH-bs20wsAR_F4J-wMgC-90j7Br7Dt5w2BtU2o_CSj1gTPo-qiARTheTeSAWrAdgjPcjvdR6N7izYT7TlwU6Wr6bJZzZQ49asCeKbcPfERnNa1Ymy4BTJ4xeu7Vk4DsbbVKQgiHlw7_yIyfwT33Rv_BuQ
"use strict";
function __f_4(__v_5) {
  return __v_5.x();
}
  __f_4({ x: 1 });


Filer: hablich

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by habl...@google.com, Mar 17 2016

Owner: ishell@chromium.org
Status: Assigned (was: Available)
Project Member

Comment 2 by ClusterFuzz, Mar 17 2016

ClusterFuzz has detected this issue as fixed in range 34834:34835.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6544999918862336

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  *deopt_index != Safepoint::kNoDeoptimizationIndex in src/frames.cc
  
Regressed: V8: r34829:34830
Fixed: V8: r34834:34835

Minimized Testcase (0.08 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97XYcH-bs20wsAR_F4J-wMgC-90j7Br7Dt5w2BtU2o_CSj1gTPo-qiARTheTeSAWrAdgjPcjvdR6N7izYT7TlwU6Wr6bJZzZQ49asCeKbcPfERnNa1Ymy4BTJ4xeu7Vk4DsbbVKQgiHlw7_yIyfwT33Rv_BuQ
"use strict";
function __f_4(__v_5) {
  return __v_5.x();
}
  __f_4({ x: 1 });


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 21 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e6dca379b633682e64542c86ed68941ccca221f0

commit e6dca379b633682e64542c86ed68941ccca221f0
Author: ishell <ishell@chromium.org>
Date: Mon Mar 21 19:22:35 2016

[crankshaft] Check if the function is callable before generating a tail call via Call builtin.

This is necessary to ensure that "Called non callable" exception will get a proper message and stack trace even for calls at tail position.

BUG= chromium:595615 , v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1818003002

Cr-Commit-Position: refs/heads/master@{#34962}

[modify] https://crrev.com/e6dca379b633682e64542c86ed68941ccca221f0/src/crankshaft/hydrogen.cc
[modify] https://crrev.com/e6dca379b633682e64542c86ed68941ccca221f0/src/crankshaft/hydrogen.h
[add] https://crrev.com/e6dca379b633682e64542c86ed68941ccca221f0/test/mjsunit/regress/regress-crbug-595615.js

Comment 4 by ishell@chromium.org, Mar 22 2016

Status: Fixed (was: Assigned)
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment