code->kind() == Code::OPTIMIZED_FUNCTION in src/frames.cc |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4622612042350592 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: code->kind() == Code::OPTIMIZED_FUNCTION in src/frames.cc Regressed: V8: r35151:35152 Minimized Testcase (10.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97b9aaz6PAV5kOyE3g-YpDbgtCzFRvTzSEMp8Tqay1au_CSoGilzV04ehoFTvrOKl1BYCtwcfWi8Gfg4A3qmytJeviUv7HqfkiWz6wDm826CeP_YMvIipVphn5cUZak4h0VBmyvxetYMOyLTtZZvSeEJ5cxDQ Filer: manoranjanr See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 1 2016
danno@: Could you please help in investigating this further for related work in https://codereview.chromium.org/1696043002
,
Apr 1 2016
bmeurer@: Could be related to builtins being compiled by TurboFan now.
,
Apr 4 2016
Reproduces on TOT, caused by https://codereview.chromium.org/1843613002 out/x64.debug/d8 test.js ===== test.js ===== var custom_toString = function() { var boom = custom_toString.caller; return boom; } var object = {}; object.toString = custom_toString; Object.hasOwnProperty(object);
,
Apr 5 2016
Yep, oversight from previous fix.
,
Apr 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e5724d958bdca95ec92c19060da88c895fca97e8 commit e5724d958bdca95ec92c19060da88c895fca97e8 Author: bmeurer <bmeurer@chromium.org> Date: Tue Apr 05 06:40:59 2016 [frames] Also properly deal with TF builtins in OptimizedFrame::GetFunctions(). This was missing from the previous fix. R=ishell@chromium.org BUG= chromium:599714 LOG=n Review URL: https://codereview.chromium.org/1861583002 Cr-Commit-Position: refs/heads/master@{#35249} [modify] https://crrev.com/e5724d958bdca95ec92c19060da88c895fca97e8/src/frames.cc [add] https://crrev.com/e5724d958bdca95ec92c19060da88c895fca97e8/test/mjsunit/regress/regress-crbug-599714.js
,
Apr 5 2016
,
Apr 5 2016
ClusterFuzz has detected this issue as fixed in range 35248:35249. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4622612042350592 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: code->kind() == Code::OPTIMIZED_FUNCTION in src/frames.cc Regressed: V8: r35151:35152 Fixed: V8: r35248:35249 Minimized Testcase (10.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97b9aaz6PAV5kOyE3g-YpDbgtCzFRvTzSEMp8Tqay1au_CSoGilzV04ehoFTvrOKl1BYCtwcfWi8Gfg4A3qmytJeviUv7HqfkiWz6wDm826CeP_YMvIipVphn5cUZak4h0VBmyvxetYMOyLTtZZvSeEJ5cxDQ See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by manoranj...@chromium.org
, Mar 31 2016