New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 607494 link

Starred by 0 users
Status: Fixed
Owner:
mstarzinger@chromium.org
Closed: May 2016
Cc:
yangguo@chromium.org
mythria@chromium.org
rmcilroy@chromium.org
oth@chromium.org
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

!shared->HasBytecodeArray() in src/compiler.cc

Project Member Reported by ClusterFuzz, Apr 28 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5068740508516352

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !shared->HasBytecodeArray() in src/compiler.cc
  
Regressed: V8: r35839:35840

Minimized Testcase (1.62 Kb): https://cluster-fuzz.appspot.com/download/AMIfv952Io824byxvA9bu69INdUjhHoecK0iekyDBRttDdHp1PoOX5xN9btjByU0TyIA9bhqdOf2Ovn6nDr3Npt7bQaYGHJISS7AZaBgYtCdTEoFOKjne5kVWtbXh6lSJIC6hUEUVBSnEUPyqOWXV1ZV7p9eAW0f_A

Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mstarzinger@chromium.org, Apr 28 2016

Cc: yangguo@chromium.org
Owner: mstarzinger@chromium.org
Status: Assigned (was: Available)
Most likely a bug in the new pipeline.

Comment 2 by yangguo@chromium.org, Apr 28 2016 

Looks a lot like a manifestation of https://bugs.chromium.org/p/v8/issues/detail?id=4961

Comment 3 by mstarzinger@chromium.org, Apr 29 2016

Status: Started (was: Assigned)
This will be fixed by a CL I have in flight: https://codereview.chromium.org/1917193007/
Project Member

Comment 4 by bugdroid1@chromium.org, May 2 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d9462d04a0fcc3a8adaa8cf92c1da30a8f03061e

commit d9462d04a0fcc3a8adaa8cf92c1da30a8f03061e
Author: mstarzinger <mstarzinger@chromium.org>
Date: Mon May 02 08:35:26 2016

[compiler] Guard implicit tier-up when ensuring deopt support.

This makes sure that Compiler::EnsureDeoptimizationSupport follows the
same limitations as other compilation functions that trigger a tier-up.
Specifically it prevents against tier-up while inlining when activations
are present on the stack.

R=yangguo@chromium.org
BUG= chromium:607494 
LOG=n

Review-Url: https://codereview.chromium.org/1917193007
Cr-Commit-Position: refs/heads/master@{#35923}

[modify] https://crrev.com/d9462d04a0fcc3a8adaa8cf92c1da30a8f03061e/src/compiler.cc
Project Member

Comment 5 by ClusterFuzz, May 2 2016 

ClusterFuzz has detected this issue as fixed in range 35922:35923.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5068740508516352

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !shared->HasBytecodeArray() in src/compiler.cc
  
Regressed: V8: r35839:35840
Fixed: V8: r35922:35923

Minimized Testcase (1.62 Kb): https://cluster-fuzz.appspot.com/download/AMIfv952Io824byxvA9bu69INdUjhHoecK0iekyDBRttDdHp1PoOX5xN9btjByU0TyIA9bhqdOf2Ovn6nDr3Npt7bQaYGHJISS7AZaBgYtCdTEoFOKjne5kVWtbXh6lSJIC6hUEUVBSnEUPyqOWXV1ZV7p9eAW0f_A

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 6 by mstarzinger@chromium.org, May 2 2016

Status: Fixed (was: Started)
This is fixed. Re comment #2, yes, it's most likely the same underlying cause. Will verify  issue v8:4961  independently. Thanks for letting me know.
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment