!value->IsTheHole(isolate) in runtime-scopes.cc |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6296549363810304 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !value->IsTheHole(isolate) in runtime-scopes.cc Regressed: V8: r38260:38261 Minimized Testcase (6.96 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97-TiXNXrRywpNvWQ3kkyYaBs2IZKJnrYK6bR67cb5FiuMfZazjAOsfAapBPN4xNcF-wtBPAWLd__QBlNKnDtp2XwSc-bf9JLR9iCxOps9kkSo51BQZ_-fT1MgximTGJ_Ye40tcXcgNc7dT-yyA0U6LSKEnCQ?testcase_id=6296549363810304 Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 3 2016
Any hints on reproducing langfuzz issues? go/clusterfuzz-repro seems chrome-specific. Running the particular file that is supposed to have crashed under an asan arm dbg build didn't run into the problem.
,
Aug 3 2016
,
Aug 3 2016
mstarzinger pointed me to the langfuzz scripts, I can reproduce now...
,
Aug 3 2016
Minimal repro:
```
// Flags: --ignition
try {
// Leave "blarg" as the hole.
Realm.eval(Realm.current(), "throw Error(); let blarg");
} catch (e) { }
// Access "blarg" via a dynamic lookup.
(function() { eval(); blarg(); })();
```
Don't yet understand why my change tweaked this (it should have been a no-op).
,
Aug 3 2016
The reason Ignition hits this is that it doesn't have the "DynamicLookupFastCase" which full-codegen does. If I defeat that optimization (by introducing a var with the eval), I get a failure in all cases:
try {
// Leave "blarg" as the hole.
Realm.eval(Realm.current(), "throw Error(); let blarg");
} catch (e) { }
try {
// Access "blarg" via a dynamic lookup.
(function() { eval("var x = 5"); blarg(); })();
} catch (e) { }
,
Aug 3 2016
And of course it was a simple thing missing from my refactor: https://codereview.chromium.org/2203213003 but thanks to ClusterFuzz for additional test coverage!
,
Aug 4 2016
Re #6, I noticed just yesterday that we are missing the DynamicLookupFastCase in Ignition. Filed a bug to add this on issue 5263 , but yay for more test coverage :).
,
Aug 4 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e6d2c9b58416d87d874cba02bccedb3b3d53ed41 commit e6d2c9b58416d87d874cba02bccedb3b3d53ed41 Author: adamk <adamk@chromium.org> Date: Thu Aug 04 16:10:48 2016 Properly pass InitializationFlag back from ScriptContextTable lookups This was dropped accidentally in bb97d27ab. R=verwaest@chromium.org BUG= chromium:633884 Review-Url: https://codereview.chromium.org/2203213003 Cr-Commit-Position: refs/heads/master@{#38345} [modify] https://crrev.com/e6d2c9b58416d87d874cba02bccedb3b3d53ed41/src/contexts.cc [add] https://crrev.com/e6d2c9b58416d87d874cba02bccedb3b3d53ed41/test/mjsunit/regress/regress-crbug-633884.js
,
Aug 4 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mstarzinger@chromium.org
, Aug 3 2016Owner: adamk@chromium.org
Status: Assigned (was: Untriaged)