OperandIsValid(bytecode, operand_scale, 0, operand0) in bytecode-array-builder.c |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5401660151300096 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: OperandIsValid(bytecode, operand_scale, 0, operand0) in bytecode-array-builder.c Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_dbg&range=36361:36362 Minimized Testcase (0.18 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv977fgyjXHg6jHNwvOAPDWCJT0R0wxg_8JW6UndLCbuqjIlqMwOE06X1C7QMRo7m4gs8w77Qu3wnsWHLhSOq9BizkQ_032sxvU2EdaARWK9kXiHMTaFZJCdOazLLVxANsC7YkS9JM8cK_3nw80skW9XzgsEdvQ try { } catch(e) {; } function __f_7(expected, run) { var __v_10 = run(); }; __f_7("[1,2,3]", () => (function() { return (async () => {[...await arguments] })(); })()); Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 10 2016
Hi Georg, the bytecode generator ends up emitting an invalid register store. It looks like BytecodeGenerator::generator_state_ has not been initialized.
2238 {
2239 RegisterAllocationScope register_scope(this);
2240
2241 // Update state to indicate that we have finished resuming. Loop headers
2242 // rely on this.
2243 builder()
2244 ->LoadLiteral(Smi::FromInt(JSGeneratorObject::kGeneratorExecuting))
2245 .StoreAccumulatorInRegister(generator_state_);
Can you take a look?
Thanks
,
Jun 10 2016
Caitlin and Dan, what's the status of async/await w.r.t. Ignition? I suppose you never tested it? Currently, the essential generator prologue is only omitted if IsGeneratorFunction holds.
,
Jun 10 2016
s/omitted/emitted/
,
Jun 13 2016
,
Jun 13 2016
,
Jun 14 2016
ClusterFuzz has detected this issue as fixed in range 36937:36938. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5401660151300096 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: OperandIsValid(bytecode, operand_scale, 0, operand0) in bytecode-array-builder.c Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_dbg&range=36361:36362 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_dbg&range=36937:36938 Minimized Testcase (0.18 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv977fgyjXHg6jHNwvOAPDWCJT0R0wxg_8JW6UndLCbuqjIlqMwOE06X1C7QMRo7m4gs8w77Qu3wnsWHLhSOq9BizkQ_032sxvU2EdaARWK9kXiHMTaFZJCdOazLLVxANsC7YkS9JM8cK_3nw80skW9XzgsEdvQ try { } catch(e) {; } function __f_7(expected, run) { var __v_10 = run(); }; __f_7("[1,2,3]", () => (function() { return (async () => {[...await arguments] })(); })()); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 15 2016
Issue 620116 has been merged into this issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by oth@chromium.org
, Jun 9 2016Status: Assigned (was: Available)