New issue
Advanced search Search tips

Issue 627828 link

Starred by 1 user
Status: Fixed
Owner:
mstarzinger@chromium.org
Closed: Jul 2016
Cc:
adamk@chromium.org
ishell@chromium.org
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

args[1]->IsName() in runtime-object.cc

Project Member Reported by ClusterFuzz, Jul 13 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4646057439133696

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  args[1]->IsName() in runtime-object.cc
  
Regressed: V8: r34400:34401

Minimized Testcase (3.91 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96mZ6rVX9ijX5XJ8Y0pGs64a_J65YuAff34TOhEekFJ8Ldzc66GMnf2jHKd_4vhjoWgh0HBcU2J6cDlz5LNkFJDx_bk3t7GACjLsdAZs95IZYLDLMiAZ_TbuWkmGL46WluvqZTJhEOAymFNxwNz5wFKAVmBTA?testcase_id=4646057439133696

Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mstarzinger@chromium.org, Jul 13 2016

Owner: mstarzinger@chromium.org
Status: Assigned (was: Available)
Interesting bug, flushed out by deprecating RUNTIME_ASSERT, I am on it.

Comment 2 by mstarzinger@chromium.org, Jul 13 2016 

Simplified repro ...

// Flags: --allow-natives-syntax

function f() {
  var o = {
    toString: function() {
      %DeoptimizeFunction(f);
      return "x";
    }
  };
  return { [o]() { return 23 } };
}

assertEquals(23, f().x());
assertEquals(23, f().x());
%OptimizeFunctionOnNextCall(f);
assertEquals(23, f().x());
Project Member

Comment 3 by bugdroid1@chromium.org, Jul 13 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a2f1519f68f99275505c6891894790263662e3c2

commit a2f1519f68f99275505c6891894790263662e3c2
Author: mstarzinger <mstarzinger@chromium.org>
Date: Wed Jul 13 15:14:54 2016

[turbofan] Fix deopt point for [[ToName]] lazy bailout.

This fixes the deoptimization information for the lazy bailout point
after a [[ToName]] operation inserted for object literals and class
literals. The result value was erroneously ignored.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-627828
BUG= chromium:627828 

Review-Url: https://codereview.chromium.org/2149493003
Cr-Commit-Position: refs/heads/master@{#37719}

[modify] https://crrev.com/a2f1519f68f99275505c6891894790263662e3c2/src/compiler/ast-graph-builder.cc
[modify] https://crrev.com/a2f1519f68f99275505c6891894790263662e3c2/src/full-codegen/full-codegen.cc
[add] https://crrev.com/a2f1519f68f99275505c6891894790263662e3c2/test/mjsunit/regress/regress-crbug-627828.js

Comment 4 by mstarzinger@chromium.org, Jul 13 2016

Status: Fixed (was: Assigned)
Fixed by above change.

Comment 5 by mstarzinger@chromium.org, Jul 15 2016

Cc: adamk@chromium.org
 Issue 628451  has been merged into this issue.
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment