New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 606376 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: ----
Type: Bug



Sign in to add a comment

Crash in v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer

Project Member Reported by ClusterFuzz, Apr 25 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4771500787236864

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x7fffbd600030
Crash State:
  v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer
  v8::internal::InnerPointerToCodeCache::GetCacheEntry
  v8::internal::StackFrame::ComputeType
  
Recommended Security Severity: Medium

Regressed: V8: r35430:35431

Minimized Testcase (1.55 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94guFlilH3J3jqG9Y6a53i5q15R57xd6AgqD6KnlBQsPC8_HBkHQwyAPvugZFvLoVLW1VVE4_C7-P1YbiWfPKbtFxJpqoTjmgN2AvnTFv4x91p0slG30a-Rs0B2EoVk5gz-Q_ulxJaBLehvpmBSRA1q4krzHg

Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Can only reproduce with --ignition, might be specific to Ignition.
Owner: mstarzinger@chromium.org
Status: Assigned (was: Available)
Bisects to the new compilation tier we have added ...

https://chromium.googlesource.com/v8/v8/+/3fc0224cfc65a238ed83b6a4823f2eae0060aabf

Reproduces as follows ...

$ git checkout 3fc0224cfc65a238ed83b6a4823f2eae0060aabf
$ make -j1000 x64.debug
$ ./out/x64.debug/d8 --enable-slow-asserts --ignition ~/Downloads/fuzz-01978.js
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Severity-Medium Restrict-View-EditIssue Type-Bug
Not a shipping configuration, dropping security labels.
Project Member

Comment 4 by ClusterFuzz, Apr 26 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5625881988431872

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !done() || handler_ == __null in src/frames.cc
  
Regressed: V8: r35430:35431

Minimized Testcase (1.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94a-Od2Yyw3i0Ju5AdNjmkEAzU-_B4r03TGPIuNu9N6XE9KlIzHdEu0VwGlviZAh1LlJD9-_n2K9fbijOwoYWU5Pw2RDrfKjBcSgKxkZAF6a0Kudc3nLB0WnocV_SveiKqOlM0S-5Q36CBDysl-Naaq2ngvHw

Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 5 by bugdroid1@chromium.org, Apr 26 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f38932c794b46cd91e2e37c15bbd7bc8db873172

commit f38932c794b46cd91e2e37c15bbd7bc8db873172
Author: mstarzinger <mstarzinger@chromium.org>
Date: Tue Apr 26 08:52:52 2016

[compiler] Prevent unnecessary regeneration of baseline code.

This avoids regenerating baseline code for a closure when such code
already exists for the shared function info. This is also important
because the baseline code might contain deoptimization support.

R=rmcilroy@chromium.org
BUG= chromium:606376 
LOG=n

Review URL: https://codereview.chromium.org/1916833002

Cr-Commit-Position: refs/heads/master@{#35785}

[modify] https://crrev.com/f38932c794b46cd91e2e37c15bbd7bc8db873172/src/compiler.cc

Status: Fixed (was: Assigned)
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment