AllowHeapAllocation::IsAllowed() in src/heap/heap-inl.h |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5365604084613120 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: AllowHeapAllocation::IsAllowed() in src/heap/heap-inl.h Regressed: V8: r35891:35892 Minimized Testcase (6.68 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96EXQ0tMTZSB6VT-REM9JgIWvZHc0uFHldCV4OUjG2b66aR8BsXGEwUDQbQD4PPrXyn1RCQJN1v6185P0FviZj_Fnut1f3cO8g_Ci3uvqd1wnPstAGkJvi29IyHibjA2VmE4gs91nkI6gNgeLwOsaqlrS_5aA Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 29 2016
Issue 607873 has been merged into this issue.
,
Apr 29 2016
My mistake, fix is on the way.
,
Apr 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/5749d710bc73ef40f9b9e8b94ec290e0412d3f57 commit 5749d710bc73ef40f9b9e8b94ec290e0412d3f57 Author: mstarzinger <mstarzinger@chromium.org> Date: Fri Apr 29 12:04:18 2016 [compiler] Fix TurboFan to respect kOptimizeFromBytecode. This ensures that the TurboFan pipeline is respecting the flag on the CompilationInfo controlling whether to use the BytecodeGraphBuilder or the AstGraphBuilder when ensuring deoptimization support. R=rmcilroy@chromium.org BUG= chromium:607871 LOG=n Review-Url: https://codereview.chromium.org/1934563002 Cr-Commit-Position: refs/heads/master@{#35904} [modify] https://crrev.com/5749d710bc73ef40f9b9e8b94ec290e0412d3f57/src/compiler/pipeline.cc [modify] https://crrev.com/5749d710bc73ef40f9b9e8b94ec290e0412d3f57/test/mjsunit/mjsunit.status
,
Apr 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5410896091807744 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000097dd3bd4 Crash State: v8::internal::StackFrameIterator::StackFrameIterator v8::internal::Isolate::PrintStack v8::internal::Isolate::StackTraceString Recommended Security Severity: Medium Regressed: V8: r35891:35892 Minimized Testcase (0.22 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97pxg-xi0oGvtA60IVD2cnFKQGTTcbgGpds4PpDnRqRK6Af6dNqnxIHbwTk6Ys7ippxtSR1wPXK-yfEt5YrSeVnY7SzxiMdljSbfgRb1zVU8PWszjA7VnG1-qHAKVJFUPP46pLKe5rp0Zem4HZfGzUfTbKd5g { function t() { try { t(); } catch(e) {; } }; try {; } catch(e) {} } %OptimizeFunctionOnNextCall(__f_17); try { } catch(e) {; } function __f_12() { } function __f_17(a,b,c,d) { return [a, ...(nop()[c])]; } [], __f_17(); Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6059900781723648 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSObject()) in src/objects Regressed: V8: r35891:35892 Minimized Testcase (0.13 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95GiUzgGbMaZmNiz5EqE7TZRfi5-m3_6C37hjwVIZ1jY9vzr3zVxGQ4Lz8Bh82wZBtwkfGhuMGgiroRRlBMOt2AtEyYnRuWt0iEkxPMYyAgtxgRVssvKGM0vYI7u_QNSI0V7OBW1d32YDZlAGTZa1Qq2fD33w try { var __v_45 = __v_44(); } catch(e) {; } function __f_44(flags) { var __v_46 = new RegExp(__v_45, flags); } __f_44("__v_44"); Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4698771052560384 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()) in src/objec Regressed: V8: r35891:35892 Minimized Testcase (0.15 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95sDSBS7zWKTdc1xxA_50xKuGMcZwLpeRUb5fiZuF8e-j3Zz2PLFCzbS0YzMN-ZSyGhEMofST0O2onPzHc-0nL-DjMc02o8-2-QgcUpbzZYDEqCumQuOMM8AQU7Zbd9tOyC5lBKg_AV_vvXpkFlhwG83wfDkQ var __v_7 = {}; try { class MyPromise extends Promise { constructor(...args) { __v_7 = args; } } __v_8 = MyPromise.resolve(); } catch(e) {; } Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 29 2016
ClusterFuzz has detected this issue as fixed in range 35903:35904. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5365604084613120 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: AllowHeapAllocation::IsAllowed() in src/heap/heap-inl.h Regressed: V8: r35891:35892 Fixed: V8: r35903:35904 Minimized Testcase (6.68 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96EXQ0tMTZSB6VT-REM9JgIWvZHc0uFHldCV4OUjG2b66aR8BsXGEwUDQbQD4PPrXyn1RCQJN1v6185P0FviZj_Fnut1f3cO8g_Ci3uvqd1wnPstAGkJvi29IyHibjA2VmE4gs91nkI6gNgeLwOsaqlrS_5aA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 29 2016
This is fixed. Sorry for the noise on ClusterFuzz.
,
Apr 30 2016
ClusterFuzz has detected this issue as fixed in range 35903:35904. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6059900781723648 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSObject()) in src/objects Regressed: V8: r35891:35892 Fixed: V8: r35903:35904 Minimized Testcase (0.13 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95GiUzgGbMaZmNiz5EqE7TZRfi5-m3_6C37hjwVIZ1jY9vzr3zVxGQ4Lz8Bh82wZBtwkfGhuMGgiroRRlBMOt2AtEyYnRuWt0iEkxPMYyAgtxgRVssvKGM0vYI7u_QNSI0V7OBW1d32YDZlAGTZa1Qq2fD33w try { var __v_45 = __v_44(); } catch(e) {; } function __f_44(flags) { var __v_46 = new RegExp(__v_45, flags); } __f_44("__v_44"); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 30 2016
ClusterFuzz has detected this issue as fixed in range 35903:35904. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5410896091807744 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000097dd3bd4 Crash State: v8::internal::StackFrameIterator::StackFrameIterator v8::internal::Isolate::PrintStack v8::internal::Isolate::StackTraceString Recommended Security Severity: Medium Regressed: V8: r35891:35892 Fixed: V8: r35903:35904 Minimized Testcase (0.22 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97pxg-xi0oGvtA60IVD2cnFKQGTTcbgGpds4PpDnRqRK6Af6dNqnxIHbwTk6Ys7ippxtSR1wPXK-yfEt5YrSeVnY7SzxiMdljSbfgRb1zVU8PWszjA7VnG1-qHAKVJFUPP46pLKe5rp0Zem4HZfGzUfTbKd5g { function t() { try { t(); } catch(e) {; } }; try {; } catch(e) {} } %OptimizeFunctionOnNextCall(__f_17); try { } catch(e) {; } function __f_12() { } function __f_17(a,b,c,d) { return [a, ...(nop()[c])]; } [], __f_17(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 30 2016
ClusterFuzz has detected this issue as fixed in range 35903:35904. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4698771052560384 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()) in src/objec Regressed: V8: r35891:35892 Fixed: V8: r35903:35904 Minimized Testcase (0.15 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95sDSBS7zWKTdc1xxA_50xKuGMcZwLpeRUb5fiZuF8e-j3Zz2PLFCzbS0YzMN-ZSyGhEMofST0O2onPzHc-0nL-DjMc02o8-2-QgcUpbzZYDEqCumQuOMM8AQU7Zbd9tOyC5lBKg_AV_vvXpkFlhwG83wfDkQ var __v_7 = {}; try { class MyPromise extends Promise { constructor(...args) { __v_7 = args; } } __v_8 = MyPromise.resolve(); } catch(e) {; } See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mstarzinger@chromium.org
, Apr 29 2016