New issue
Advanced search Search tips

Issue 603463 link

Starred by 0 users
Status: Verified
Owner:
danno@chromium.org
Closed: Jun 2016
Cc:
ishell@chromium.org
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

marker->IsSmi() in src/frames.cc

Project Member Reported by ClusterFuzz, Apr 14 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5097556501069824

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  marker->IsSmi() in src/frames.cc
  
Regressed: V8: r34570:34571

Minimized Testcase (7.55 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94s3cPQ9bcOXH-xtQXO0nxhMP8B_9WPSRBctr9pzO2YJEvfP-1EXtRmNCh3PKA6DIHAFA4fq7d8NxJcSR_agRCCA4RpK_JUBUIlZXuLshTMp4pOix0iaCaNnEfV4SyA7l8Fx4U2rruyjhcm_mOgFpUG4yyGOA

Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ishell@chromium.org, Apr 18 2016

Owner: ishell@chromium.org
Status: Started (was: Available)

Comment 2 by ishell@chromium.org, Apr 18 2016

Owner: danno@chromium.org
Status: Assigned (was: Started)
Reproduces on TOT.

There are two issues here:
1) Abort: Operand is not a smi. Investigating...
2) Assertion failure during JS call stack printing. This issue was introduced by https://codereview.chromium.org/1696043002.

out/x64.debug/d8 --debug-code test.js

===== test.js =====
function load(a, i) {
  return a[i];
}

function f2() {
  return load(new Proxy({}, {})) ;
}

f2();
f2();
load([11, 22, 33], 0);
f2();

Comment 3 by ishell@chromium.org, Apr 18 2016

Labels: M-49 M-51 M-50 M-52
Project Member

Comment 4 by bugdroid1@chromium.org, Apr 19 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/28113880e317acdb374372b6dac101a46458fa46

commit 28113880e317acdb374372b6dac101a46458fa46
Author: ishell <ishell@chromium.org>
Date: Tue Apr 19 08:56:53 2016

Fix polymorphic keyed load handler selection for proxies.

BUG= chromium:603463 
LOG=N

Review URL: https://codereview.chromium.org/1894203002

Cr-Commit-Position: refs/heads/master@{#35607}

[modify] https://crrev.com/28113880e317acdb374372b6dac101a46458fa46/src/ic/ic.cc
[add] https://crrev.com/28113880e317acdb374372b6dac101a46458fa46/test/mjsunit/regress/regress-crbug-603463.js

Comment 5 by ishell@chromium.org, Apr 19 2016 

The fix mentioned in c#4 addresses "1) Abort: Operand is not a smi."
Project Member

Comment 6 by sheriffbot@chromium.org, Jun 1 2016

Labels: -M-51 -M-50 -M-52 -M-49 M-53 MovedFrom-52
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by ClusterFuzz, Jun 13 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment