New issue
Advanced search Search tips

Issue 620272 link

Starred by 1 user
Status: Duplicate
Merged: issue 616709
Owner: ----
Closed: Jun 2016
Cc:
ishell@chromium.org
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

dependent_code()->IsEmpty(DependentCode::kPrototypeCheckGroup) in objects-debug.

Project Member Reported by ClusterFuzz, Jun 15 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6701111818059776

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: CHECK failure
Crash Address: 
Crash State:
  dependent_code()->IsEmpty(DependentCode::kPrototypeCheckGroup) in objects-debug.
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=399780:399803

Minimized Testcase (1.70 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97v9_bBrKRPhzKJbsx4MGo2yGSb_AxoO4ERfXHgSd-wRYlpAC05B58JlXnuy891T4OS_6N0EbgSKVe-sXNcAbSmgcsUUY052D5ZDi62OzWzGXMnjTug6p2Bdk0aQXUjG7W_vqneVOM4RcwRcstwikjjRIXONw

Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mstarzinger@chromium.org, Jun 15 2016 

Reproduces slightly different on tip-of-tree. Only on ia32 ...

$ ~/Development/v8.git/out/ia32.debug/d8 --random-seed=175565070 --verify-heap --turbo-filter=* ~/Downloads/fuzz-00487.js 

#
# Fatal error in ../src/compilation-dependencies.cc, line 119
# Check failed: map->is_stable().
#

==== C stack trace ===============================

 1: V8_Fatal
 2: v8::internal::CompilationDependencies::AssumeMapStable(v8::internal::Handle<v8::internal::Map>)
 3: v8::internal::CompilationDependencies::AssumePrototypeMapsStable(v8::internal::Handle<v8::internal::Map>, v8::internal::MaybeHandle<v8::internal::JSReceiver>)
 4: v8::internal::compiler::JSNativeContextSpecialization::AssumePrototypesStable(v8::internal::Type*, v8::internal::Handle<v8::internal::Context>, v8::internal::Handle<v8::internal::JSObject>)
 5: v8::internal::compiler::JSNativeContextSpecialization::ReduceElementAccess(v8::internal::compiler::Node*, v8::internal::compiler::Node*, v8::internal::compiler::Node*, v8::internal::List<v8::internal::Handle<v8::internal::Map>, v8::internal::FreeStoreAllocationPolicy> const&, v8::internal::compiler::AccessMode, v8::internal::LanguageMode, v8::internal::KeyedAccessStoreMode)
 6: v8::internal::compiler::JSNativeContextSpecialization::ReduceKeyedAccess(v8::internal::compiler::Node*, v8::internal::compiler::Node*, v8::internal::compiler::Node*, v8::internal::FeedbackNexus const&, v8::internal::compiler::AccessMode, v8::internal::LanguageMode, v8::internal::KeyedAccessStoreMode)
 7: v8::internal::compiler::JSNativeContextSpecialization::ReduceJSLoadProperty(v8::internal::compiler::Node*)
 8: v8::internal::compiler::JSNativeContextSpecialization::Reduce(v8::internal::compiler::Node*)
 9: v8::internal::compiler::GraphReducer::Reduce(v8::internal::compiler::Node*)
10: v8::internal::compiler::GraphReducer::ReduceTop()
11: v8::internal::compiler::GraphReducer::ReduceNode(v8::internal::compiler::Node*)
12: v8::internal::compiler::GraphReducer::ReduceGraph()
13: v8::internal::compiler::InliningPhase::Run(v8::internal::compiler::PipelineData*, v8::internal::Zone*)
14: void v8::internal::compiler::PipelineImpl::Run<v8::internal::compiler::InliningPhase>()
15: v8::internal::compiler::PipelineImpl::CreateGraph()
16: v8::internal::compiler::PipelineCompilationJob::CreateGraphImpl()
17: v8::internal::CompilationJob::CreateGraph()
18: 0x8c65de0
19: 0x8c5b242
20: v8::internal::Compiler::CompileOptimized(v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Compiler::ConcurrencyMode)
21: 0x9701428
22: v8::internal::Runtime_CompileOptimized_Concurrent(int, v8::internal::Object**, v8::internal::Isolate*)
23: 0xf280a23e
24: 0xf283791f
25: 0x4c33e798
26: 0xf280ae76
27: 0xf2856e09
28: 0xf28376de
29: 0xf2823c43
30: 0x8e3a58c
31: v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*)
32: v8::Script::Run(v8::Local<v8::Context>)
33: v8::Shell::ExecuteString(v8::Isolate*, v8::Local<v8::String>, v8::Local<v8::Value>, bool, bool, v8::Shell::SourceType)
34: v8::SourceGroup::Execute(v8::Isolate*)
35: v8::Shell::RunMain(v8::Isolate*, int, char**, bool)
36: v8::Shell::Main(int, char**)
37: main
38: __libc_start_main
Illegal instruction (core dumped)

Comment 2 by bmeu...@chromium.org, Jun 15 2016

Mergedinto: 616709
Status: Duplicate (was: Available)
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment