New issue
Advanced search Search tips

Issue 632289 link

Starred by 1 user
Status: Fixed
Owner:
rmcilroy@chromium.org
Closed: Aug 2016
Cc:
ishell@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

!info->shared_info()->is_compiled() in compiler.cc

Project Member Reported by ClusterFuzz, Jul 28 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6184604558163968

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !info->shared_info()->is_compiled() in compiler.cc
  
Regressed: V8: r38001:38002

Minimized Testcase (0.23 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv967F9w0dfRT4sUijGdjKWfy2UTjkheQih4ysDEARGVVRVZRbxjb6_b62iX77Jkl7JxEtMKjGNj42eysyNoiKM7obW9IhuJwfLtaHxcJNYkL2mXPa6CceElD0EypUgc-BqqxQUNE81qUv_inr_grRtjAm8NSEg?testcase_id=6184604558163968
try {
} catch(e) {; }
(function __f_12() {
})();
(function __f_6() {
  function __f_3() {
  }
  function __f_4() {
    try {
    } catch (e) {
    }
  }
 __f_4();
  %OptimizeFunctionOnNextCall(__f_4);
 __f_4();
})();
function __f_14() {
}


Additional requirements: Requires Gestures

Filer: ishell

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ishell@chromium.org, Jul 28 2016

Cc: ishell@chromium.org
Owner: rmcilroy@chromium.org
Status: Assigned (was: Untriaged)
Introduced by a474e84181fb6b19cc8c48cab29d670bf6302ab7. Reproduces on TOT.
Project Member

Comment 2 by bugdroid1@chromium.org, Aug 3 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/aacbdacb890500302657950ed8d2af50935e221d

commit aacbdacb890500302657950ed8d2af50935e221d
Author: rmcilroy <rmcilroy@chromium.org>
Date: Wed Aug 03 15:01:13 2016

[Crankshaft] Move don't crankshaft check before EnsureDeoptimizationSupport.

Avoids compiling baseline code when the function isn't able to be
optimized by crankshaft.

BUG= chromium:632289 

Review-Url: https://codereview.chromium.org/2194453002
Cr-Commit-Position: refs/heads/master@{#38304}

[modify] https://crrev.com/aacbdacb890500302657950ed8d2af50935e221d/src/crankshaft/hydrogen.cc
[add] https://crrev.com/aacbdacb890500302657950ed8d2af50935e221d/test/mjsunit/regress/regress-632289.js

Comment 3 by rmcilroy@chromium.org, Aug 3 2016

Status: Fixed (was: Assigned)
Project Member

Comment 4 by ClusterFuzz, Aug 4 2016 

ClusterFuzz has detected this issue as fixed in range 38303:38304.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6184604558163968

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !info->shared_info()->is_compiled() in compiler.cc
  
Regressed: V8: r38001:38002
Fixed: V8: r38303:38304

Minimized Testcase (0.23 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv967F9w0dfRT4sUijGdjKWfy2UTjkheQih4ysDEARGVVRVZRbxjb6_b62iX77Jkl7JxEtMKjGNj42eysyNoiKM7obW9IhuJwfLtaHxcJNYkL2mXPa6CceElD0EypUgc-BqqxQUNE81qUv_inr_grRtjAm8NSEg?testcase_id=6184604558163968
try {
} catch(e) {; }
(function __f_12() {
})();
(function __f_6() {
  function __f_3() {
  }
  function __f_4() {
    try {
    } catch (e) {
    }
  }
 __f_4();
  %OptimizeFunctionOnNextCall(__f_4);
 __f_4();
})();
function __f_14() {
}


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment