reg >= first_temporary_register() && reg <= last_temporary_register() in bytecod |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5524129617018880 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: reg >= first_temporary_register() && reg <= last_temporary_register() in bytecod Minimized Testcase (0.07 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94Pwk-BtVYkJABfuT9u1NjOF0zIUsBKtOTWEx9IHilgcfFTXDrc69ZxI0joRF3dOG2CaGP_tDmjGJ5G5q7CHiYAvSgjMJfwp-lNwU1K5hTQEUYpifuaa_K6vqu6fIvyrOhfrMg6Vt3EU2LfLqGFSCGv1cyslQ?testcase_id=5524129617018880 try { (y = 1[ [...[]]]) => 1; } catch(e) {; } for (let _ of f()) { } Filer: rossberg See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 23 2016
Minimized version:
out/Debug/d8 --ignition --no-lazy -e "try { (y = [...[]]) => {} } catch(_) {}"
This does not seem to be a regression, it has never worked as far as I can tell. I'm looking at it.
,
Jun 24 2016
This might be related to issue 622248 , the test case looks similar. Both tests seem to require the --no-lazy flag to trigger, so it looks like it might be something related to eager parsing (this also means it shouldn't hit us in production since --no-lazy isn't a shipping configuration).
,
Jun 24 2016
,
Jun 24 2016
Not really, Ross, --no-lazy just delays the inevitable:
out/Debug/d8 --ignition -e "try { ((y = [...[]]) => {})(); } catch(_) {}"
This has been fixed, waiting for the CL to be reviewed.
https://codereview.chromium.org/2083083007/
,
Jun 24 2016
Ahh great, thanks for the quick fix!
,
Jun 28 2016
Issue 623901 has been merged into this issue.
,
Jun 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/61c137c8116a800d179ada40570d62a0b70f1d2d commit 61c137c8116a800d179ada40570d62a0b70f1d2d Author: nikolaos <nikolaos@chromium.org> Date: Tue Jun 28 15:08:45 2016 Fix bug with re-scoping arrow function parameter initializers When re-scoping arrow function parameter initializers, temporaries should be moved from the closure of the old scope to the closure of the new scope, if necessary. R=adamk@chromium.org, rossberg@chromium.org BUG= chromium:622663 LOG=N Review-Url: https://codereview.chromium.org/2083083007 Cr-Commit-Position: refs/heads/master@{#37335} [modify] https://crrev.com/61c137c8116a800d179ada40570d62a0b70f1d2d/src/ast/scopes.cc [modify] https://crrev.com/61c137c8116a800d179ada40570d62a0b70f1d2d/src/ast/scopes.h [modify] https://crrev.com/61c137c8116a800d179ada40570d62a0b70f1d2d/src/parsing/parameter-initializer-rewriter.cc [add] https://crrev.com/61c137c8116a800d179ada40570d62a0b70f1d2d/test/mjsunit/regress/regress-622663.js
,
Jun 28 2016
,
Jun 28 2016
ClusterFuzz has detected this issue as fixed in range 37334:37335. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5524129617018880 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: reg >= first_temporary_register() && reg <= last_temporary_register() in bytecod Fixed: V8: r37334:37335 Minimized Testcase (0.07 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94Pwk-BtVYkJABfuT9u1NjOF0zIUsBKtOTWEx9IHilgcfFTXDrc69ZxI0joRF3dOG2CaGP_tDmjGJ5G5q7CHiYAvSgjMJfwp-lNwU1K5hTQEUYpifuaa_K6vqu6fIvyrOhfrMg6Vt3EU2LfLqGFSCGv1cyslQ?testcase_id=5524129617018880 try { (y = 1[ [...[]]]) => 1; } catch(e) {; } for (let _ of f()) { } See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 5 2016
Niko, could you merge this to 5.3 please?
,
Jul 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/bf485d38311e3a4e183723ba7cb5a31035e4847d commit bf485d38311e3a4e183723ba7cb5a31035e4847d Author: nikolaos <nikolaos@chromium.org> Date: Tue Jul 05 14:31:22 2016 Version 5.3.332.7 (cherry-pick) Merged 61c137c8116a800d179ada40570d62a0b70f1d2d Fix bug with re-scoping arrow function parameter initializers BUG= chromium:622663 LOG=N R=hablich@chromium.org NOTRY=true NOPRESUBMIT=true Review-Url: https://codereview.chromium.org/2121083003 Cr-Commit-Position: refs/branch-heads/5.3@{#9} Cr-Branched-From: 820a23aade5e74a92d794e05a0c2b3597f0da4b5-refs/heads/5.3.332@{#2} Cr-Branched-From: 37538cb2c1b4d75c41af386cb4fedbe5566f5608-refs/heads/master@{#37308} [modify] https://crrev.com/bf485d38311e3a4e183723ba7cb5a31035e4847d/include/v8-version.h [modify] https://crrev.com/bf485d38311e3a4e183723ba7cb5a31035e4847d/src/ast/scopes.cc [modify] https://crrev.com/bf485d38311e3a4e183723ba7cb5a31035e4847d/src/ast/scopes.h [modify] https://crrev.com/bf485d38311e3a4e183723ba7cb5a31035e4847d/src/parsing/parameter-initializer-rewriter.cc [add] https://crrev.com/bf485d38311e3a4e183723ba7cb5a31035e4847d/test/mjsunit/regress/regress-622663.js
,
Jul 9 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 11 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by rossberg@chromium.org
, Jun 23 2016Status: Assigned (was: Available)