map->is_stable() in src/compilation-dependencies.cc |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4738994286100480 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: map->is_stable() in src/compilation-dependencies.cc Regressed: V8: r35891:35892 Minimized Testcase (8.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97G_exm9AZU2uK10Iy9Ir_urNRprlb4AGmrdZbxKBqshAj8owPRmorYwY7uJWBtkwT-j7LATgLEt_WJI_vVYFezI-YTgmifkKyGG3KTDSMKrozAhRzTbxPMcNgQfyh27gvVv3ywfZ5hcPttqh7sdXxcU5ztyg Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 15 2016
Removed the Crankshaft-like fallback code from TurboFan based on Toons advice. How should we deal with this?
,
Jun 15 2016
,
Jun 15 2016
@bmeurer: I don't understand what you mean? You cannot deal with this case inline, thus just want to use the IC.
,
Jun 16 2016
That answers the question. I wasn't sure if we cannot handle element access even in the case of dictionary properties in the prototype chain.
,
Jun 16 2016
Looking at Crankshaft, it seems indeed possible to do that.
,
Jun 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/1c7bdc7f6f4d9512f4982590bd949f265ee9c8c3 commit 1c7bdc7f6f4d9512f4982590bd949f265ee9c8c3 Author: bmeurer <bmeurer@chromium.org> Date: Thu Jun 16 05:24:33 2016 [turbofan] Properly handle dictionary maps in the prototype chain. Dictionary prototypes don't have stable maps, but still don't matter for element access. Generalized the JSNativeContextSpecialization a bit to handle everything that Crankshaft can handle in this regard. R=jarin@chromium.org BUG= chromium:616709 Review-Url: https://codereview.chromium.org/2067423003 Cr-Commit-Position: refs/heads/master@{#37019} [modify] https://crrev.com/1c7bdc7f6f4d9512f4982590bd949f265ee9c8c3/src/compilation-dependencies.cc [modify] https://crrev.com/1c7bdc7f6f4d9512f4982590bd949f265ee9c8c3/src/compilation-dependencies.h [modify] https://crrev.com/1c7bdc7f6f4d9512f4982590bd949f265ee9c8c3/src/compiler/js-native-context-specialization.cc [modify] https://crrev.com/1c7bdc7f6f4d9512f4982590bd949f265ee9c8c3/src/compiler/js-native-context-specialization.h [add] https://crrev.com/1c7bdc7f6f4d9512f4982590bd949f265ee9c8c3/test/mjsunit/regress/regress-crbug-616709.js
,
Jun 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/47fb39e4de283b3aca5c655628b3f4d195c7563f commit 47fb39e4de283b3aca5c655628b3f4d195c7563f Author: bmeurer <bmeurer@chromium.org> Date: Thu Jun 16 09:15:00 2016 Revert of [turbofan] Properly handle dictionary maps in the prototype chain. (patchset #1 id:1 of https://codereview.chromium.org/2067423003/ ) Reason for revert: As discussed offline with Toon, this is not the correct fix here. Original issue's description: > [turbofan] Properly handle dictionary maps in the prototype chain. > > Dictionary prototypes don't have stable maps, but still don't matter for > element access. Generalized the JSNativeContextSpecialization a bit to > handle everything that Crankshaft can handle in this regard. > > R=jarin@chromium.org > BUG= chromium:616709 > > Committed: https://crrev.com/1c7bdc7f6f4d9512f4982590bd949f265ee9c8c3 > Cr-Commit-Position: refs/heads/master@{#37019} TBR=jarin@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= chromium:616709 Review-Url: https://codereview.chromium.org/2076493002 Cr-Commit-Position: refs/heads/master@{#37029} [modify] https://crrev.com/47fb39e4de283b3aca5c655628b3f4d195c7563f/src/compilation-dependencies.cc [modify] https://crrev.com/47fb39e4de283b3aca5c655628b3f4d195c7563f/src/compilation-dependencies.h [modify] https://crrev.com/47fb39e4de283b3aca5c655628b3f4d195c7563f/src/compiler/js-native-context-specialization.cc [modify] https://crrev.com/47fb39e4de283b3aca5c655628b3f4d195c7563f/src/compiler/js-native-context-specialization.h [delete] https://crrev.com/175fc180b717dcac0301b7300eb9ccfa790540f4/test/mjsunit/regress/regress-crbug-616709.js
,
Aug 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/cad5b29610a1684adecafe25544a6d6dddf2113b commit cad5b29610a1684adecafe25544a6d6dddf2113b Author: bmeurer <bmeurer@chromium.org> Date: Fri Aug 05 04:53:48 2016 [turbofan] Remove unnecessary prototype checks for element access. We don't need to add stability dependencies on JSObject prototypes when storing to an element, because we do the map check (and thereby guard the elements kind) and we also properly deoptimize on holes if the array protector is not usable. R=verwaest@chromium.org BUG= chromium:616709 Review-Url: https://codereview.chromium.org/2198833002 Cr-Commit-Position: refs/heads/master@{#38355} [modify] https://crrev.com/cad5b29610a1684adecafe25544a6d6dddf2113b/src/compiler/access-info.cc [modify] https://crrev.com/cad5b29610a1684adecafe25544a6d6dddf2113b/src/compiler/access-info.h [modify] https://crrev.com/cad5b29610a1684adecafe25544a6d6dddf2113b/src/compiler/js-native-context-specialization.cc [modify] https://crrev.com/cad5b29610a1684adecafe25544a6d6dddf2113b/src/compiler/js-native-context-specialization.h [add] https://crrev.com/cad5b29610a1684adecafe25544a6d6dddf2113b/test/mjsunit/regress/regress-crbug-616709-1.js [add] https://crrev.com/cad5b29610a1684adecafe25544a6d6dddf2113b/test/mjsunit/regress/regress-crbug-616709-2.js
,
Aug 16 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6406693540069376 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: map->is_stable() in compilation-dependencies.cc Regressed: V8: r38602:38603 Minimized Testcase (9.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94pxIM0LbL0j4so4mT3AdVy2Rx9vuwonKkXXn2rSnXlufTfpWU_isDgqmrOMFcNo-aaJJIxAZAJYy2HuVi2F9XduSqTYMFC8FGTVT4XfTSBAqL6geHUW0jdAhCTdZsQI6x7fAj9SgBSHKmblEvhAFu2cXE01g?testcase_id=6406693540069376 Issue manually filed by: titzer See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 16 2016
,
Sep 1 2016
ClusterFuzz has detected this issue as fixed in range 39044:39045. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6406693540069376 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: map->is_stable() in compilation-dependencies.cc Regressed: V8: r38602:38603 Fixed: V8: r39044:39045 Minimized Testcase (9.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94pxIM0LbL0j4so4mT3AdVy2Rx9vuwonKkXXn2rSnXlufTfpWU_isDgqmrOMFcNo-aaJJIxAZAJYy2HuVi2F9XduSqTYMFC8FGTVT4XfTSBAqL6geHUW0jdAhCTdZsQI6x7fAj9SgBSHKmblEvhAFu2cXE01g?testcase_id=6406693540069376 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by jkummerow@chromium.org
, Jun 14 2016Turbofan assumes that all prototype maps are stable, but that's not the case for dictionary maps (which can happen when there are too many properties). Reduced repro: // Make the Object prototype have dictionary properties. for (var i = 0; i < 2000; i++) { Object.prototype['generatedProperty'+i] = true; } function boom(a1) { with ({}) {} // Force Turbofan. return a1[0]; } var a = new Array(1); a[0] = 0.1; boom(a); boom(a); %OptimizeFunctionOnNextCall(boom); boom(a); DCHECKs as follows: # # Fatal error in ../src/compilation-dependencies.cc, line 119 # Check failed: map->is_stable(). # (gdb) bt #0 v8::base::OS::Abort () at ../src/base/platform/platform-posix.cc:240 #1 0x0000000001a12358 in V8_Fatal (file=0x1d256b7 "../src/compilation-dependencies.cc", line=119, format=0x1ca8d60 "Check failed: %s.") at ../src/base/logging.cc:116 #2 0x00000000016d1526 in v8::internal::CompilationDependencies::AssumeMapStable (this=0x38f74a0, map=...) at ../src/compilation-dependencies.cc:119 #3 0x00000000016d160d in v8::internal::CompilationDependencies::AssumePrototypeMapsStable (this=0x38f74a0, map=..., prototype=...) at ../src/compilation-dependencies.cc:132 #4 0x00000000017b0472 in v8::internal::compiler::JSNativeContextSpecialization::AssumePrototypesStable (this=0x7ffdbe889338, receiver_type=0x39078c8, native_context=..., holder=...) at ../src/compiler/js-native-context-specialization.cc:1004 #5 0x00000000017b2bc5 in v8::internal::compiler::JSNativeContextSpecialization::ReduceElementAccess (this=0x7ffdbe889338, node=0x39073b8, index=0x3907078, value=0x3906458, receiver_maps=..., access_mode=v8::internal::compiler::AccessMode::kLoad, language_mode=v8::internal::SLOPPY, store_mode=v8::internal::STANDARD_STORE) at ../src/compiler/js-native-context-specialization.cc:800 #6 0x00000000017b4068 in v8::internal::compiler::JSNativeContextSpecialization::ReduceKeyedAccess (this=0x7ffdbe889338, node=0x39073b8, index=0x3907078, value=0x3906458, nexus=..., access_mode=v8::internal::compiler::AccessMode::kLoad, language_mode=v8::internal::SLOPPY, store_mode=v8::internal::STANDARD_STORE) at ../src/compiler/js-native-context-specialization.cc:935 #7 0x00000000017ad386 in v8::internal::compiler::JSNativeContextSpecialization::ReduceJSLoadProperty (this=0x7ffdbe889338, node=0x39073b8) at ../src/compiler/js-native-context-specialization.cc:967