New issue
Advanced search Search tips

Issue 609029 link

Starred by 0 users
Status: Fixed
Owner:
bmeu...@chromium.org
Closed: May 2016
Cc:
jarin@chromium.org
adamk@chromium.org
ishell@chromium.org
mstarzinger@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

data()->IsUndefined() || data()->IsFixedArray() in v8/src/objects-debug.cc

Project Member Reported by ClusterFuzz, May 4 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6671907985817600

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  data()->IsUndefined() || data()->IsFixedArray() in v8/src/objects-debug.cc
  
Regressed: V8: r35187:35212

Minimized Testcase (0.01 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94l6UKeZkaHiIWWVVq17gTutQXVRLtkEmGBE7TTNGWU758QZNnsK-K_QmsYQM0NDu5oFNBiepbuoghlXXkm2ovfYEvsv3bBdrnFwEr6K3T-gfe6maRiIubTvMy_TcB1wEL8u6uMkv5tVlo3UtglchK12r_eNg
"xxx".match();


Filer: jarin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by jarin@chromium.org, May 4 2016

Cc: ishell@chromium.org mstarzinger@chromium.org
Owner: bmeu...@chromium.org
Status: Assigned (was: Available)

Comment 2 by jarin@chromium.org, May 4 2016

Cc: -jarin@google.com jarin@chromium.org

Comment 3 by bmeu...@chromium.org, May 4 2016

Status: Started (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, May 4 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c3218375c1583ed6f8ed8bc57cc0bac7326e1ab4

commit c3218375c1583ed6f8ed8bc57cc0bac7326e1ab4
Author: bmeurer <bmeurer@chromium.org>
Date: Wed May 04 07:33:26 2016

[turbofan] Implement %_NewObject using FastNewObjectStub.

The inline allocation sequence in the optimizing compilers cannot deal
well with funky types like JSRegExp, which have some magic fields in
addition to the inobject properties. In Crankshaft we already use the
FastNewObjectStub for %_NewObject in general, so fix TurboFan to the same.
Hopefully one day we can kill %_NewObject completely.

R=jarin@chromium.org
BUG= chromium:609029 
LOG=n

Review-Url: https://codereview.chromium.org/1943403004
Cr-Commit-Position: refs/heads/master@{#36006}

[modify] https://crrev.com/c3218375c1583ed6f8ed8bc57cc0bac7326e1ab4/src/compiler/js-intrinsic-lowering.cc
[add] https://crrev.com/c3218375c1583ed6f8ed8bc57cc0bac7326e1ab4/test/mjsunit/regress/regress-crbug-609029.js

Comment 5 by bmeu...@chromium.org, May 12 2016

Status: Fixed (was: Started)

Comment 6 by adamk@chromium.org, May 13 2016

Cc: adamk@chromium.org
The test added in this change has been failing in most runs on the deopt fuzzer (https://build.chromium.org/p/client.v8/builders/V8%20Random%20Deopt%20Fuzzer%20-%20debug), with the error:

=== mjsunit/regress/regress-crbug-609029 ===
--- stderr ---
#
# Fatal error in ../../src/objects-inl.h, line 3172
# Check failed: !v8::internal::FLAG_enable_slow_asserts || (object->IsSmi()).
#

Here's an example failing run: https://build.chromium.org/p/client.v8/builders/V8%20Random%20Deopt%20Fuzzer%20-%20debug/builds/1056
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment