HAllocate::cast(dominator)->IsAllocationFoldingDominator() in src/crankshaft/hyd |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5259742192861184 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: HAllocate::cast(dominator)->IsAllocationFoldingDominator() in src/crankshaft/hyd Regressed: V8: r36132:36133 Minimized Testcase (0.42 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96kR194IEappJr8ny7V9H4qWMhlBXKkxcss8ZGXb86RT06eXdHygWhDYBMrC_ZnFIfCIRoExyOcvqqbH_3qfoCVawrU38_sfT6HRxwUdbtxiJb14RYMFx2TtmiViQFQchZ---hrETVVVtBXT9Bcl367fAF07g { function __f_1(a, i, v) { a[i] = v; } var __v_1 = []; __f_1(__v_1, 0, 2.5); var __v_3 = []; __f_1(__v_3, 0, 2.5); var __v_13 = []; __v_13.length = 13; __f_1(__v_13, 0, 2.5); function __f_2(a, i, v) { a[i] = v; } var __v_4 = []; __f_2(__v_3, 0); var __v_5 = [, 4]; __f_2(__v_5, 0, 2.5); function __f_3() { } c4 = []; for (i = 3; i < 0xa000; ++i) { } } function __f_6() { } Filer: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 30 2016
,
May 30 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/359a269a0c59235e1aefc732be44043fbd6100ff commit 359a269a0c59235e1aefc732be44043fbd6100ff Author: hpayer <hpayer@chromium.org> Date: Mon May 30 11:22:29 2016 [crankshaft] There is no guarantee that allocations are folded in Crankshaft. BUG= chromium:615770 LOG=N Review-Url: https://codereview.chromium.org/2022743002 Cr-Commit-Position: refs/heads/master@{#36579} [modify] https://crrev.com/359a269a0c59235e1aefc732be44043fbd6100ff/src/crankshaft/hydrogen-instructions.h
,
May 30 2016
,
May 30 2016
ClusterFuzz has detected this issue as fixed in range 36578:36579. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5259742192861184 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: HAllocate::cast(dominator)->IsAllocationFoldingDominator() in src/crankshaft/hyd Regressed: V8: r36132:36133 Fixed: V8: r36578:36579 Minimized Testcase (0.42 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96kR194IEappJr8ny7V9H4qWMhlBXKkxcss8ZGXb86RT06eXdHygWhDYBMrC_ZnFIfCIRoExyOcvqqbH_3qfoCVawrU38_sfT6HRxwUdbtxiJb14RYMFx2TtmiViQFQchZ---hrETVVVtBXT9Bcl367fAF07g { function __f_1(a, i, v) { a[i] = v; } var __v_1 = []; __f_1(__v_1, 0, 2.5); var __v_3 = []; __f_1(__v_3, 0, 2.5); var __v_13 = []; __v_13.length = 13; __f_1(__v_13, 0, 2.5); function __f_2(a, i, v) { a[i] = v; } var __v_4 = []; __f_2(__v_3, 0); var __v_5 = [, 4]; __f_2(__v_5, 0, 2.5); function __f_3() { } c4 = []; for (i = 3; i < 0xa000; ++i) { } } function __f_6() { } See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by ishell@chromium.org
, May 30 2016Owner: hpayer@chromium.org
Status: Assigned (was: Available)