Using code search suspecting #34295 could be the possible culprit

Review URL: https://codereview.chromium.org/1733333002
Change Log: https://chromium.googlesource.com/v8/v8/+/c5142d863ba9f7304779f272258902515ead3cb8

@ulan: Assigning to you, request you to please take a look into it. Please help us to reassign if not with respect to your change.

Thanks.!

Hey Franziska! Yang mentioned you might be interested in this report. It reproduces nicely on tip-of-tree. Please feel free to ping me if you need help with reproducing or more context about ClusterFuzz. Reproduces as follows ...

$ git checkout 992c9c4d7a58f45f28b03e8aac7e42706bd3a42c
$ make -j1000 ia32.debug
$ ./out/ia32.debug/d8 --enable-slow-asserts ~/Downloads/fuzz-00114.js

Here is a symbolized stack trace ...

(gdb) bt
#0  v8::internal::Heap::deserialization_complete (this=0x6620676e) at .././src/heap/heap.h:841
#1  0x08e145a2 in v8::internal::FreeSpace::cast (o=0x4002810d) at .././src/objects-inl.h:3449
#2  0x08dfa09e in v8::internal::Heap::CreateFillerObjectAt (this=0xa469078, addr=0x4002810c, size=655360, mode=v8::internal::ClearRecordedSlots::kNo) at ../src/heap/heap.cc:3054
#3  0x08faf7ba in v8::internal::SeqString::Truncate (string=..., new_length=2228224) at ../src/objects.cc:11071
#4  0x0961fcb2 in v8::internal::__RT_impl_Runtime_TruncateString (args=..., isolate=0xa469068) at ../src/runtime/runtime-strings.cc:1133
#5  0x0961f86f in v8::internal::Runtime_TruncateString (args_length=2, args_object=0xffffc29c, isolate=0xa469068) at ../src/runtime/runtime-strings.cc:1127
#6  0x34d0c6be in ?? ()
#7  0x34d54173 in LazyCompile:~Decode native uri.js:77 (x=..., y=...) at native uri.js:105
#8  0x34d536e2 in LazyCompile:~decodeURI native uri.js:150 (x=...) at native uri.js:161
#9  0x34d531e8 in Script:~test/mjsunit/foo.js () at test/mjsunit/foo.js:9
#10 0x34d3b39e in ?? ()
#11 0x34d25a43 in ?? ()
#12 0x08d80324 in v8::internal::(anonymous namespace)::Invoke (isolate=0xa469068, is_construct=false, target=..., receiver=..., argc=0, args=0x0, new_target=...) at ../src/execution.cc:98
#13 0x08d7ffaa in v8::internal::Execution::Call (isolate=0xa469068, callable=..., receiver=..., argc=0, argv=0x0) at ../src/execution.cc:154
#14 0x08907085 in v8::Script::Run (this=0xa48f708, context=...) at ../src/api.cc:1794
#15 0x088c38c9 in v8::Shell::ExecuteString (isolate=0xa469068, source=..., name=..., print_result=false, report_exceptions=true, source_type=v8::Shell::SCRIPT) at ../src/d8.cc:392
#16 0x088cea10 in v8::SourceGroup::Execute (this=0xa46700c, isolate=0xa469068) at ../src/d8.cc:1522
#17 0x088d1c09 in v8::Shell::RunMain (isolate=0xa469068, argc=7, argv=0xffffcbb4, last_run=true) at ../src/d8.cc:2024
#18 0x088d2ddb in v8::Shell::Main (argc=7, argv=0xffffcbb4) at ../src/d8.cc:2488
#19 0x088d8bbb in main (argc=7, argv=0xffffcbb4) at ../src/d8.cc:2533

I'm working on rewriting decodeURI(), see https://bugs.chromium.org/p/v8/issues/detail?id=4912#c1

If we're lucky that fixes the issue. I'll check if anything else is effected by this and add a regression test case. 

The problem was that the test was trying to decode a string of length 1441792. This caused problems in %TruncateString. TruncateString is deleted in https://codereview.chromium.org/1994733003. I added a regression test, just in case ...

I'll close this bug once the CL has landed. 

Awesome. Thanks!

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/8c31bd81f2919aafb4d586f39aa729cdbff23c44

commit 8c31bd81f2919aafb4d586f39aa729cdbff23c44
Author: franzih <franzih@chromium.org>
Date: Fri May 27 09:56:04 2016

[builtins] Rewrite uri.js as builtin functions.

Rewrite decodeURI and decodeURIComponent as builtin functions
and install them in the bootstrapper.

Delete unused runtime functions:
 - TruncateString
 - NewString
 - OneByteSeqStringGetChar
 - OneByteSeqStringSetChar
 - TwoByteSeqStringGetChar
 - TwoByteSeqStringSetChar

Add regression test for decoding large strings. Clusterfuzz detected
a problem with %TruncateString, see
https://bugs.chromium.org/p/chromium/issues/detail?id=612109#c6
This is automatically fixed by this rewrite because %TruncateString
is deleted anyways.

Crude benchmark on 585 decodeURI and decodeURIComponent tests
averaged over five runs:

* builtin functions
real	0m9.69s
user	2m39.8816s
sys    	0m12.6398s

* JS functions calling into the runtime e.g., for %TruncateString
real	0m11.0598s
user	3m6.7026s
sys	0m13.5756s

By running:
$  time tools/run-tests.py   --arch=x64  --mode=Release --buildbot
  test262/built-ins/decodeURI* mjsunit/uri
>>> Running tests for x64.Release

BUG= v8:4912 ,  chromium:612109 
R=yangguo@chromium.org, bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/1994733003
Cr-Commit-Position: refs/heads/master@{#36543}

[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/bootstrapper.cc
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/builtins.cc
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/builtins.h
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/crankshaft/hydrogen.cc
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/crankshaft/hydrogen.h
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/full-codegen/arm/full-codegen-arm.cc
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/full-codegen/arm64/full-codegen-arm64.cc
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/full-codegen/full-codegen.h
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/full-codegen/ia32/full-codegen-ia32.cc
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/full-codegen/mips/full-codegen-mips.cc
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/full-codegen/mips64/full-codegen-mips64.cc
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/full-codegen/ppc/full-codegen-ppc.cc
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/full-codegen/s390/full-codegen-s390.cc
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/full-codegen/x64/full-codegen-x64.cc
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/full-codegen/x87/full-codegen-x87.cc
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/js/uri.js
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/runtime/runtime-strings.cc
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/runtime/runtime.h
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/uri.cc
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/src/uri.h
[modify] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/test/cctest/compiler/test-run-intrinsics.cc
[delete] https://crrev.com/b890d8c43e82a980ed0c9434c4674e1feba9d4ee/test/mjsunit/lithium/SeqStringSetChar.js
[delete] https://crrev.com/b890d8c43e82a980ed0c9434c4674e1feba9d4ee/test/mjsunit/regress/regress-crbug-320922.js
[add] https://crrev.com/8c31bd81f2919aafb4d586f39aa729cdbff23c44/test/mjsunit/regress/regress-crbug-612109.js
[delete] https://crrev.com/b890d8c43e82a980ed0c9434c4674e1feba9d4ee/test/mjsunit/regress/regress-seqstrsetchar-ex1.js
[delete] https://crrev.com/b890d8c43e82a980ed0c9434c4674e1feba9d4ee/test/mjsunit/regress/regress-seqstrsetchar-ex3.js
[delete] https://crrev.com/b890d8c43e82a980ed0c9434c4674e1feba9d4ee/test/mjsunit/regress/string-set-char-deopt.js
[delete] https://crrev.com/b890d8c43e82a980ed0c9434c4674e1feba9d4ee/test/mjsunit/string-natives.js

ClusterFuzz has detected this issue as fixed in range 36542:36543.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6550866286346240

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::Heap::CreateFillerObjectAt
  v8::internal::SeqString::Truncate
  v8::internal::__RT_impl_Runtime_TruncateString
  
Fixed: V8: r36542:36543

Minimized Testcase (0.14 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96KYnOCNgj8vOO_DtfIVuwmcZg7kyvaCQKvCoHktodPRBgwRld519JbDb8Rp9bYe859NfdIeyXukhVopEi7DvW7nIP0XAyk5oLLc6fvVnsJ3zbFUvVqdYELVoWATIA8pTW4aFtYNQTX8WhPdtWPIDbmNIE64Q
__v_2 = "string for triggering osr in __f_0";
for (var __v_5 = 0; __v_5 < 16; __v_5++) __v_2 = __v_2 + __v_2;
 decodeURI(encodeURI(__v_2));


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot