New issue
Advanced search Search tips

Issue 614644 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Jul 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug



Sign in to add a comment

Fatal error in v8::HandleScope::CreateHandle

Project Member Reported by ClusterFuzz, May 25 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6094711232397312

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: Fatal error
Crash Address: 
Crash State:
  v8::HandleScope::CreateHandle
  
Regressed: V8: r36456:36458

Minimized Testcase (9.71 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95JmX74oJBldoXHEdj-waTkIH7rm3aS0v-ima4DcILeo9PaqUNEY8a4m5osuMIs3wDVqs0dR57b_cCovQkwpyn8SgW6R7x5ILV22EvUv00CWtELleCU23zQ9fRPmLki778_6xEaTeoO6VGVR1_ND-r-LwcSuQ

Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
The regression range that ClusterFuzz points to is a red herring. This reproduces on tip-of-tree as well as before the changes in question as follows ...

$ git checkout 35e0f01fb9e9d191663e2993031829db38e706b5
$ make -j1000 x64.debug
$ ./out/x64.debug/d8 --allow-natives-syntax --debug-code test/mjsunit/foo.js
$ cat test/mjsunit/foo.js

function f(a, x) {
  a.shift(2, a.length = 2);
  a[0] = x;
}

f([ ], 1.1);
f([1], 1.1);
%OptimizeFunctionOnNextCall(f);
f([1], 1.1);

Comment 2 by ishell@chromium.org, May 27 2016

Owner: ishell@chromium.org
Status: Assigned (was: Available)
Labels: -OS-Linux OS-All
Owner: bmeu...@chromium.org
Project Member

Comment 4 by ClusterFuzz, Jul 6 2016

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6094711232397312

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: Fatal error
Crash Address: 
Crash State:
  v8::HandleScope::CreateHandle
  
Regressed: V8: r36456:36458

Minimized Testcase (9.71 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95HWX3NlKaMOM-5d8EqKvB1mdjR_OXEGFkgf5CwmE61yiNDS88IspalEyVCPfO_7_q2NcqChwxi5s_EntvgLkwSYSA2W5vprfDuMGfBWVQqjpvQ7PqMiGeyuPdWelNqFPiVSlxN2ou7QJpwpLW8YpUHjcFh6w?testcase_id=6094711232397312

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by bugdroid1@chromium.org, Jul 19 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/173313e297ffa94a29fdc9612921df53a92f50c8

commit 173313e297ffa94a29fdc9612921df53a92f50c8
Author: bmeurer <bmeurer@chromium.org>
Date: Tue Jul 19 06:42:43 2016

[crankshaft] Guard against side effects in Array.prototype.shift lowering.

We need to pay attention to potential side effects from parameter
evaluation when inlining the fast case Array.prototype.shift.

R=yangguo@chromium.org
BUG= chromium:614644 

Review-Url: https://codereview.chromium.org/2161943002
Cr-Commit-Position: refs/heads/master@{#37850}

[modify] https://crrev.com/173313e297ffa94a29fdc9612921df53a92f50c8/src/crankshaft/hydrogen.cc
[add] https://crrev.com/173313e297ffa94a29fdc9612921df53a92f50c8/test/mjsunit/regress/regress-crbug-614644.js

Status: Fixed (was: Assigned)
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment