Crash in v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4771500787236864 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7fffbd600030 Crash State: v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer v8::internal::InnerPointerToCodeCache::GetCacheEntry v8::internal::StackFrame::ComputeType Recommended Security Severity: Medium Regressed: V8: r35430:35431 Minimized Testcase (1.55 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94guFlilH3J3jqG9Y6a53i5q15R57xd6AgqD6KnlBQsPC8_HBkHQwyAPvugZFvLoVLW1VVE4_C7-P1YbiWfPKbtFxJpqoTjmgN2AvnTFv4x91p0slG30a-Rs0B2EoVk5gz-Q_ulxJaBLehvpmBSRA1q4krzHg Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 25 2016
Bisects to the new compilation tier we have added ... https://chromium.googlesource.com/v8/v8/+/3fc0224cfc65a238ed83b6a4823f2eae0060aabf Reproduces as follows ... $ git checkout 3fc0224cfc65a238ed83b6a4823f2eae0060aabf $ make -j1000 x64.debug $ ./out/x64.debug/d8 --enable-slow-asserts --ignition ~/Downloads/fuzz-01978.js
,
Apr 25 2016
Not a shipping configuration, dropping security labels.
,
Apr 26 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5625881988431872 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !done() || handler_ == __null in src/frames.cc Regressed: V8: r35430:35431 Minimized Testcase (1.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94a-Od2Yyw3i0Ju5AdNjmkEAzU-_B4r03TGPIuNu9N6XE9KlIzHdEu0VwGlviZAh1LlJD9-_n2K9fbijOwoYWU5Pw2RDrfKjBcSgKxkZAF6a0Kudc3nLB0WnocV_SveiKqOlM0S-5Q36CBDysl-Naaq2ngvHw Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f38932c794b46cd91e2e37c15bbd7bc8db873172 commit f38932c794b46cd91e2e37c15bbd7bc8db873172 Author: mstarzinger <mstarzinger@chromium.org> Date: Tue Apr 26 08:52:52 2016 [compiler] Prevent unnecessary regeneration of baseline code. This avoids regenerating baseline code for a closure when such code already exists for the shared function info. This is also important because the baseline code might contain deoptimization support. R=rmcilroy@chromium.org BUG= chromium:606376 LOG=n Review URL: https://codereview.chromium.org/1916833002 Cr-Commit-Position: refs/heads/master@{#35785} [modify] https://crrev.com/f38932c794b46cd91e2e37c15bbd7bc8db873172/src/compiler.cc
,
Apr 26 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mstarzinger@chromium.org
, Apr 25 2016