!is_strict(language_mode()) in src/interpreter/bytecode-generator.cc |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6717289872752640 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !is_strict(language_mode()) in src/interpreter/bytecode-generator.cc Regressed: V8: r35065:35066 Minimized Testcase (9.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95VaXDbMZ-B7sCXhx5K0IXfvVbGDAP77KHf7X8wE-nv8Rf-ILZ-jw5kgCZy1Y6AGBxvz8VGPQ6ju715yxq6gz0PPYW1A--neeTtKuGJMPllf246axM7f0xfGFwnnrw5eSv7lN3iua8mgCfvaHSDSsC-9AFAZA Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 31 2016
minimized test case:
(function encodeURI() {
function Func() {
'use strict';
encodeURI += 'function';
}
});
run as: out/x64.debug/d8 test.js --ignition.
This fails because encodeURI is a legacy constant in strict mode. In ignition, there is a DCHECK that asserts we don't see legacy constants in strict mode.
,
Apr 1 2016
Just to clarify, encodeURI is a legacy constant and we use it in Func which is in strict mode and hence DCHECK fails. I think DCHECK should not be there in ignition. If I understand correctly, function name bindings are treated as Legacy constants.
,
Apr 1 2016
,
Apr 1 2016
More extensive test case ...
(function f() {
function assignSloppy() {
f = 0;
}
assertDoesNotThrow(assignSloppy);
function assignStrict() {
'use strict';
f = 0;
}
assertThrows(assignStrict);
})();
,
Apr 1 2016
Hey Adam! Do you have some insight into the future of the function literal name binding? Are the semantics likely to change in the near future and is there a time-frame for how long the CONST_LEGACY semantics will be around?
,
Apr 4 2016
Sadly function name bindings in strict mode will continue to have the CONST_LEGACY behavior forever. As part of my cleanups for CONST_LEGACY I was aiming to at least rename it to make it clearer that it has a single use. Thus this DCHECK is incorrect and ought to be removed. The good news is that function name bindings are restricted enough that we can still get rid of much of the weirdness of CONST_LEGACY (e.g., it can never be accessed in an uninitialized state, and CONST_LEGACY vars can never be properties on the global). The only weirdness left is that it's an immutable binding which doesn't throw when assigned to.
,
Apr 4 2016
Re #7: Thanks for the update/clarification. Yes, the DCHECK is incorrect and the fix that Mythri has in flight implements proper semantics in Ignition and also adds test coverage in form of a regression test: https://codereview.chromium.org/1845223006/ The additional restrictions you mentioned are indeed nice. It might make sense to audit the backends for cases that can no longer appear at some point (outside the scope of this issue), for example the hole check for loads that you alluded to: https://code.google.com/p/chromium/codesearch#search/&q=%22Uninitialized%20legacy%20const%20bindings%20are%20unholed%22&sq=package:chromium&type=cs
,
Apr 12 2016
ClusterFuzz has detected this issue as fixed in range 35382:35383. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6717289872752640 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !is_strict(language_mode()) in src/interpreter/bytecode-generator.cc Regressed: V8: r35065:35066 Fixed: V8: r35382:35383 Minimized Testcase (9.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95VaXDbMZ-B7sCXhx5K0IXfvVbGDAP77KHf7X8wE-nv8Rf-ILZ-jw5kgCZy1Y6AGBxvz8VGPQ6ju715yxq6gz0PPYW1A--neeTtKuGJMPllf246axM7f0xfGFwnnrw5eSv7lN3iua8mgCfvaHSDSsC-9AFAZA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 12 2016
,
Apr 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/8982cb5c70c8371256c6e9183d3ef3b33e46f056 commit 8982cb5c70c8371256c6e9183d3ef3b33e46f056 Author: mythria <mythria@chromium.org> Date: Mon Apr 11 12:03:02 2016 [Interpreter] Handles legacy constants in strict mode. Function bindings are the only variables in LEGACY_CONST mode. (https://codereview.chromium.org/1819123002/). Since these variables can also be accessed in strict mode functions we should support handling such variables. Assigning to a legacy constant throws a TypeError in strict mode. Also fixes hydrogen.cc to throw a TypeError for legacy constants. BUG= v8:4280 , chromium:599068 LOG=N TBR=rmcilroy@chromium.org Review URL: https://codereview.chromium.org/1845223006 Cr-Commit-Position: refs/heads/master@{#35383} [modify] https://crrev.com/8982cb5c70c8371256c6e9183d3ef3b33e46f056/src/crankshaft/hydrogen.cc [modify] https://crrev.com/8982cb5c70c8371256c6e9183d3ef3b33e46f056/src/interpreter/bytecode-generator.cc [add] https://crrev.com/8982cb5c70c8371256c6e9183d3ef3b33e46f056/test/mjsunit/regress/regress-599068-func-bindings.js
,
Apr 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/8982cb5c70c8371256c6e9183d3ef3b33e46f056 commit 8982cb5c70c8371256c6e9183d3ef3b33e46f056 Author: mythria <mythria@chromium.org> Date: Mon Apr 11 12:03:02 2016 [Interpreter] Handles legacy constants in strict mode. Function bindings are the only variables in LEGACY_CONST mode. (https://codereview.chromium.org/1819123002/). Since these variables can also be accessed in strict mode functions we should support handling such variables. Assigning to a legacy constant throws a TypeError in strict mode. Also fixes hydrogen.cc to throw a TypeError for legacy constants. BUG= v8:4280 , chromium:599068 LOG=N TBR=rmcilroy@chromium.org Review URL: https://codereview.chromium.org/1845223006 Cr-Commit-Position: refs/heads/master@{#35383} [modify] https://crrev.com/8982cb5c70c8371256c6e9183d3ef3b33e46f056/src/crankshaft/hydrogen.cc [modify] https://crrev.com/8982cb5c70c8371256c6e9183d3ef3b33e46f056/src/interpreter/bytecode-generator.cc [add] https://crrev.com/8982cb5c70c8371256c6e9183d3ef3b33e46f056/test/mjsunit/regress/regress-599068-func-bindings.js
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mythria@chromium.org
, Mar 31 2016Status: Assigned (was: Available)