1 == effect->op()->EffectInputCount() in node-properties.cc |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4589225177776128 Fuzzer: mbarbella_js_mutation Job Type: linux_v8_d8_tot Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: 1 == effect->op()->EffectInputCount() in node-properties.cc Minimized Testcase (0.35 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96Uejf05Gusu_LprduydLmxnSIjPyYe7S7i0YTH1AcGmYAcsCCBHkk1jsT4rDWlEHyaTv3Eb8NIHduRB7mC4b32VSnpfNMvXPP9gTM19DyVLzag_PcKZ9ijE8olR4of5mhSVpNx7wbmNnbCxR6w_W9R85dD3Q var __v_2 = {}; var __v_4 = {}; __v_6 = [NaN]; __v_2 = [ ]; function __f_12() { for (var __v_3 = 0; __v_3 < __v_6.length; __v_3++) { __v_2[__v_3](); } } try { __f_12(); } catch(e) {; } (function __f_38() { var __v_38 = { method() { } }; })(); var __v_46 = new Uint8ClampedArray(); function __f_46() { __v_46 = __v_4; __f_12(); } __f_46(); Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 6 2016
,
Jun 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/826627d9fd0e452a423948536076027c2b22a49b commit 826627d9fd0e452a423948536076027c2b22a49b Author: mstarzinger <mstarzinger@chromium.org> Date: Mon Jun 06 12:31:52 2016 [turbofan] Make FindFrameStateBefore handle dead paths. This makes sure {NodeProperties::FindFrameStateBefore} can deal with effect chains that are marked as dead. This can happen when reducers looking for frame states run together with other reducers killing some execution paths within the same reduction phase. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-617567 BUG= chromium:617567 ,chromium:617224 Review-Url: https://codereview.chromium.org/2041833002 Cr-Commit-Position: refs/heads/master@{#36743} [modify] https://crrev.com/826627d9fd0e452a423948536076027c2b22a49b/src/compiler/node-properties.cc [add] https://crrev.com/826627d9fd0e452a423948536076027c2b22a49b/test/mjsunit/regress/regress-crbug-617567.js
,
Jun 7 2016
ClusterFuzz has detected this issue as fixed in range 36738:36764. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4589225177776128 Fuzzer: mbarbella_js_mutation Job Type: linux_v8_d8_tot Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: 1 == effect->op()->EffectInputCount() in node-properties.cc Fixed: V8: r36738:36764 Minimized Testcase (0.35 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96Uejf05Gusu_LprduydLmxnSIjPyYe7S7i0YTH1AcGmYAcsCCBHkk1jsT4rDWlEHyaTv3Eb8NIHduRB7mC4b32VSnpfNMvXPP9gTM19DyVLzag_PcKZ9ijE8olR4of5mhSVpNx7wbmNnbCxR6w_W9R85dD3Q var __v_2 = {}; var __v_4 = {}; __v_6 = [NaN]; __v_2 = [ ]; function __f_12() { for (var __v_3 = 0; __v_3 < __v_6.length; __v_3++) { __v_2[__v_3](); } } try { __f_12(); } catch(e) {; } (function __f_38() { var __v_38 = { method() { } }; })(); var __v_46 = new Uint8ClampedArray(); function __f_46() { __v_46 = __v_4; __f_12(); } __f_46(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 7 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mstarzinger@chromium.org
, Jun 6 2016Status: Assigned (was: Available)