(opcode)==(Translation::STACK_SLOT) in src/frames.cc |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4525710131068928 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: (opcode)==(Translation::STACK_SLOT) in src/frames.cc Regressed: V8: r34919:34920 Minimized Testcase (0.21 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94BrIMfGGFRX8sNiFFMBN8GRf857DqzaAMKDYwGI4xQkrXZXV7-43aNe7vsRxbzEUeJ5eKHeDjmW36KSXOqOGh1HvZ0P59-KdzaVL2mNCy_k6LyZwIKw0rLQaLXvVU3n2N1_WOuZKjHFAZA0YPLxVoN3fLTnA "use strict"; var __v_0 = {}; var __v_10 = /a/; function __f_1() { } function __f_0() { return __v_0.pop(); } %OptimizeFunctionOnNextCall(__f_1); __f_1(); %OptimizeFunctionOnNextCall(__f_0); __f_0(); [ ](); Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 21 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5967840292634624 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: Heap-buffer-overflow READ 8 Crash Address: 0x610000003630 Crash State: v8::internal::FrameSummary::abstract_code v8::internal::ComputeLocation v8::internal::RenderCallSite Recommended Security Severity: Medium Regressed: V8: r34919:34920 Minimized Testcase (0.39 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96GZNZtLLWnb96VNyIcQ1lEAz4QAUl4rpxqV6hL2BGF684SYdia7u4QO0QLB9R6wGaVLyu-CDQtHqs1x_1IglQSwvZOozFD_8A4ZRen_Rztyt0DrYVsd2HsXV76q0iziGRUeaXIQZ7fc6QoTeF9Th6iJJLwzA "use strict"; var __v_0 = -2147483648; function __f_0() { } %OptimizeFunctionOnNextCall(__f_0); __f_0() function __f_2() { } %OptimizeFunctionOnNextCall(__f_2); __f_2(), Symbol.prototype.valueOf; function __f_1() { } %OptimizeFunctionOnNextCall(__f_1); __f_1() function __f_3() { return __v_0.bar(); } %OptimizeFunctionOnNextCall(__f_3); __f_3(); try { if (this.Worker) { } } catch(e) {; } ( { })(); Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 21 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4675227136557056 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: *deopt_index != Safepoint::kNoDeoptimizationIndex in src/frames.cc Regressed: V8: r34919:34920 Minimized Testcase (0.08 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv964JgIfwK7qCBuvxkMTceOC-Hwc_SlkV0SLKgmTpzwbiIPBXcvMX-_EqiCDAb0jw27dv_opb6aQpAU8rHWXuhEvYGWiL6cCr_Ddaj_A80BwyQlK5AIaCMAWgzdKl72ShcHqSgZUF3iIZnqPFv366yhkR36xyw "use strict"; var __v_2 = {}; function __f_0() { return __v_2.f(); } __f_0(); Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/66e22b79e812437aa3be168da4612e64a2de6728 commit 66e22b79e812437aa3be168da4612e64a2de6728 Author: ishell <ishell@chromium.org> Date: Tue Mar 22 08:13:07 2016 [crankshaft] Always generate lazy bailout points for tail calls ... ... because Debugger could still require them to inspect optimized frames. BUG= chromium:596473 , v8:4698 LOG=N Review URL: https://codereview.chromium.org/1816113002 Cr-Commit-Position: refs/heads/master@{#34979} [modify] https://crrev.com/66e22b79e812437aa3be168da4612e64a2de6728/src/crankshaft/arm/lithium-arm.cc [modify] https://crrev.com/66e22b79e812437aa3be168da4612e64a2de6728/src/crankshaft/arm64/lithium-arm64.cc [modify] https://crrev.com/66e22b79e812437aa3be168da4612e64a2de6728/src/crankshaft/ia32/lithium-ia32.cc [modify] https://crrev.com/66e22b79e812437aa3be168da4612e64a2de6728/src/crankshaft/mips/lithium-mips.cc [modify] https://crrev.com/66e22b79e812437aa3be168da4612e64a2de6728/src/crankshaft/mips64/lithium-mips64.cc [modify] https://crrev.com/66e22b79e812437aa3be168da4612e64a2de6728/src/crankshaft/x64/lithium-x64.cc
,
Mar 22 2016
Issue 596717 has been merged into this issue.
,
Mar 22 2016
ClusterFuzz has detected this issue as fixed in range 34961:34962. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5967840292634624 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: Heap-buffer-overflow READ 8 Crash Address: 0x610000003630 Crash State: v8::internal::FrameSummary::abstract_code v8::internal::ComputeLocation v8::internal::RenderCallSite Recommended Security Severity: Medium Regressed: V8: r34919:34920 Fixed: V8: r34961:34962 Minimized Testcase (0.39 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96GZNZtLLWnb96VNyIcQ1lEAz4QAUl4rpxqV6hL2BGF684SYdia7u4QO0QLB9R6wGaVLyu-CDQtHqs1x_1IglQSwvZOozFD_8A4ZRen_Rztyt0DrYVsd2HsXV76q0iziGRUeaXIQZ7fc6QoTeF9Th6iJJLwzA "use strict"; var __v_0 = -2147483648; function __f_0() { } %OptimizeFunctionOnNextCall(__f_0); __f_0() function __f_2() { } %OptimizeFunctionOnNextCall(__f_2); __f_2(), Symbol.prototype.valueOf; function __f_1() { } %OptimizeFunctionOnNextCall(__f_1); __f_1() function __f_3() { return __v_0.bar(); } %OptimizeFunctionOnNextCall(__f_3); __f_3(); try { if (this.Worker) { } } catch(e) {; } ( { })(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 22 2016
ClusterFuzz has detected this issue as fixed in range 34961:34962. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4675227136557056 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: *deopt_index != Safepoint::kNoDeoptimizationIndex in src/frames.cc Regressed: V8: r34919:34920 Fixed: V8: r34961:34962 Minimized Testcase (0.08 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv964JgIfwK7qCBuvxkMTceOC-Hwc_SlkV0SLKgmTpzwbiIPBXcvMX-_EqiCDAb0jw27dv_opb6aQpAU8rHWXuhEvYGWiL6cCr_Ddaj_A80BwyQlK5AIaCMAWgzdKl72ShcHqSgZUF3iIZnqPFv366yhkR36xyw "use strict"; var __v_2 = {}; function __f_0() { return __v_2.f(); } __f_0(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 22 2016
,
Mar 22 2016
ClusterFuzz has detected this issue as fixed in range 34961:34962. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4525710131068928 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: (opcode)==(Translation::STACK_SLOT) in src/frames.cc Regressed: V8: r34919:34920 Fixed: V8: r34961:34962 Minimized Testcase (0.21 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94BrIMfGGFRX8sNiFFMBN8GRf857DqzaAMKDYwGI4xQkrXZXV7-43aNe7vsRxbzEUeJ5eKHeDjmW36KSXOqOGh1HvZ0P59-KdzaVL2mNCy_k6LyZwIKw0rLQaLXvVU3n2N1_WOuZKjHFAZA0YPLxVoN3fLTnA "use strict"; var __v_0 = {}; var __v_10 = /a/; function __f_1() { } function __f_0() { return __v_0.pop(); } %OptimizeFunctionOnNextCall(__f_1); __f_1(); %OptimizeFunctionOnNextCall(__f_0); __f_0(); [ ](); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/a6bf5bbdeacb428e5dd4dc10d9446feea7dd4ac2 commit a6bf5bbdeacb428e5dd4dc10d9446feea7dd4ac2 Author: mbrandy <mbrandy@us.ibm.com> Date: Tue Mar 22 16:37:01 2016 PPC: [crankshaft] Fixing ES6 tail call elimination. Port acbb968dedd2b02b5447215a579cf4cdc99bc69a Port 66e22b79e812437aa3be168da4612e64a2de6728 Original commit messages: In case when F inlined normal call to G which tail calls H we should not write translation for G for the tail call site. Otherwise we will see G in a stack trace inside H. This CL also enables all existing tests related to ES6 tail call elimination and adds more combinations. Always generate lazy bailout points for tail calls because Debugger could still require them to inspect optimized frames. R=ishell@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com BUG= chromium:596473 , v8:4698 LOG=N Review URL: https://codereview.chromium.org/1825513002 Cr-Commit-Position: refs/heads/master@{#34996} [modify] https://crrev.com/a6bf5bbdeacb428e5dd4dc10d9446feea7dd4ac2/src/crankshaft/ppc/lithium-ppc.cc [modify] https://crrev.com/a6bf5bbdeacb428e5dd4dc10d9446feea7dd4ac2/src/crankshaft/ppc/lithium-ppc.h
,
Mar 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/716ab0d3b40d52d45274e4c26702d1bbf448c20b commit 716ab0d3b40d52d45274e4c26702d1bbf448c20b Author: jyan <jyan@ca.ibm.com> Date: Tue Mar 22 18:15:58 2016 S390: [crankshaft] Fixing ES6 tail call elimination. Port acbb968dedd2b02b5447215a579cf4cdc99bc69a Port 66e22b79e812437aa3be168da4612e64a2de6728 Original commit messages: In case when F inlined normal call to G which tail calls H we should not write translation for G for the tail call site. Otherwise we will see G in a stack trace inside H. This CL also enables all existing tests related to ES6 tail call elimination and adds more combinations. Always generate lazy bailout points for tail calls because Debugger could still require them to inspect optimized frames. R=ishell@chromium.org, joransiu@ca.ibm.com, mbrandy@us.ibm.com, michael_dawson@ca.ibm.com BUG= chromium:596473 , v8:4698 LOG=N Review URL: https://codereview.chromium.org/1820373002 Cr-Commit-Position: refs/heads/master@{#35003} [modify] https://crrev.com/716ab0d3b40d52d45274e4c26702d1bbf448c20b/src/crankshaft/s390/lithium-s390.cc [modify] https://crrev.com/716ab0d3b40d52d45274e4c26702d1bbf448c20b/src/crankshaft/s390/lithium-s390.h
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by hablich@chromium.org
, Mar 21 2016Status: Assigned (was: Available)