New issue
Advanced search Search tips

Issue 609029 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

data()->IsUndefined() || data()->IsFixedArray() in v8/src/objects-debug.cc

Project Member Reported by ClusterFuzz, May 4 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6671907985817600

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  data()->IsUndefined() || data()->IsFixedArray() in v8/src/objects-debug.cc
  
Regressed: V8: r35187:35212

Minimized Testcase (0.01 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94l6UKeZkaHiIWWVVq17gTutQXVRLtkEmGBE7TTNGWU758QZNnsK-K_QmsYQM0NDu5oFNBiepbuoghlXXkm2ovfYEvsv3bBdrnFwEr6K3T-gfe6maRiIubTvMy_TcB1wEL8u6uMkv5tVlo3UtglchK12r_eNg
"xxx".match();


Filer: jarin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by jarin@chromium.org, May 4 2016

Cc: ishell@chromium.org mstarzinger@chromium.org
Owner: bmeu...@chromium.org
Status: Assigned (was: Available)

Comment 2 by jarin@chromium.org, May 4 2016

Cc: -jarin@google.com jarin@chromium.org
Status: Started (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, May 4 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c3218375c1583ed6f8ed8bc57cc0bac7326e1ab4

commit c3218375c1583ed6f8ed8bc57cc0bac7326e1ab4
Author: bmeurer <bmeurer@chromium.org>
Date: Wed May 04 07:33:26 2016

[turbofan] Implement %_NewObject using FastNewObjectStub.

The inline allocation sequence in the optimizing compilers cannot deal
well with funky types like JSRegExp, which have some magic fields in
addition to the inobject properties. In Crankshaft we already use the
FastNewObjectStub for %_NewObject in general, so fix TurboFan to the same.
Hopefully one day we can kill %_NewObject completely.

R=jarin@chromium.org
BUG= chromium:609029 
LOG=n

Review-Url: https://codereview.chromium.org/1943403004
Cr-Commit-Position: refs/heads/master@{#36006}

[modify] https://crrev.com/c3218375c1583ed6f8ed8bc57cc0bac7326e1ab4/src/compiler/js-intrinsic-lowering.cc
[add] https://crrev.com/c3218375c1583ed6f8ed8bc57cc0bac7326e1ab4/test/mjsunit/regress/regress-crbug-609029.js

Status: Fixed (was: Started)

Comment 6 by adamk@chromium.org, May 13 2016

Cc: adamk@chromium.org
The test added in this change has been failing in most runs on the deopt fuzzer (https://build.chromium.org/p/client.v8/builders/V8%20Random%20Deopt%20Fuzzer%20-%20debug), with the error:

=== mjsunit/regress/regress-crbug-609029 ===
--- stderr ---
#
# Fatal error in ../../src/objects-inl.h, line 3172
# Check failed: !v8::internal::FLAG_enable_slow_asserts || (object->IsSmi()).
#

Here's an example failing run: https://build.chromium.org/p/client.v8/builders/V8%20Random%20Deopt%20Fuzzer%20-%20debug/builds/1056
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment