safe_to_deopt_topmost_optimized_code in deoptimizer.cc |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6600304003121152 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: safe_to_deopt_topmost_optimized_code in deoptimizer.cc Minimized Testcase (0.20 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv9639hhgDk7cclFOB8sU04qgejpOcy01SuCfMPBxDNNJTCNNGThFs76rtINusWo-2NafqLDWGqtUCgDWVb0vhORR1pnNlDWoo3dSLcncdXLndVVt2opaewR3OqArFCm85PKQKCeTTbHTLhKWLktbwO7IOXXtMw?testcase_id=6600304003121152 var __v_16 = {}; eval() function __f_7() { __v_8 = __v_16; __v_8.a = 1; } __v_6 = __f_7(); __v_7 = __f_7(); (function __f_13() { var __v_10 = { *['a']() { } }; __v_7 = __f_7(); })(); Filer: machenbach See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 21 2016
,
Jun 21 2016
TurboFan generates computed property initialization of an object literal in a way that does not expect that the Runtime::kDefineDataPropertyInLiteral can lazy deopt.
Smaller repro:
out/x64.debug/d8 --predictable --turbo --always-opt test.js
===== test.js =====
var o = {};
function f() {
o.a = 1;
}
function g() {
var o1 = { ['a']: function(){} };
f();
}
f();
f();
g();
,
Jun 21 2016
,
Jun 27 2016
I can repro. Thanks for the reduced test case. Working on a fix.
,
Jun 27 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/4af80298b66f6dc0abd7fbab93f377755388d065 commit 4af80298b66f6dc0abd7fbab93f377755388d065 Author: mstarzinger <mstarzinger@chromium.org> Date: Mon Jun 27 13:54:54 2016 [turbofan] Fix missing lazy deopt in object literals. This adds a missing lazy bailout point when defining data properties with computed property names in object literals. The runtime call to Runtime::kDefineDataPropertyInLiteral can trigger deopts. The necessary bailout ID already exists and is now properly used. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-621816 BUG= chromium:621816 Review-Url: https://codereview.chromium.org/2099133003 Cr-Commit-Position: refs/heads/master@{#37294} [modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/compiler/ast-graph-builder.cc [modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/compiler/linkage.cc [modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/arm/full-codegen-arm.cc [modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/arm64/full-codegen-arm64.cc [modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/ia32/full-codegen-ia32.cc [modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/mips/full-codegen-mips.cc [modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/mips64/full-codegen-mips64.cc [modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/ppc/full-codegen-ppc.cc [modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/s390/full-codegen-s390.cc [modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/x64/full-codegen-x64.cc [modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/x87/full-codegen-x87.cc [add] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/test/mjsunit/regress/regress-crbug-621816.js
,
Jun 27 2016
,
Jun 28 2016
ClusterFuzz has detected this issue as fixed in range 37293:37294. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6600304003121152 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: safe_to_deopt_topmost_optimized_code in deoptimizer.cc Fixed: V8: r37293:37294 Minimized Testcase (0.20 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv9639hhgDk7cclFOB8sU04qgejpOcy01SuCfMPBxDNNJTCNNGThFs76rtINusWo-2NafqLDWGqtUCgDWVb0vhORR1pnNlDWoo3dSLcncdXLndVVt2opaewR3OqArFCm85PKQKCeTTbHTLhKWLktbwO7IOXXtMw?testcase_id=6600304003121152 var __v_16 = {}; eval() function __f_7() { __v_8 = __v_16; __v_8.a = 1; } __v_6 = __f_7(); __v_7 = __f_7(); (function __f_13() { var __v_10 = { *['a']() { } }; __v_7 = __f_7(); })(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ishell@chromium.org
, Jun 21 2016