!is_optimized_code() in objects.cc |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5606599341375488 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !is_optimized_code() in objects.cc Regressed: V8: r38285:38286 Minimized Testcase (6.59 Kb): https://cluster-fuzz.appspot.com/download/AMIfv961xxfSg3GfmrvnDn8Cj2JQbDNTAJc1mkTTruH9Zm5H1h_wWmoy5lvAY2A9zjKCtFn-GvTpt2Z7fhrNd4DCAqQ9nzCMvyz5xdOTZ_szdxsThDDUCUmVgpmQjCGICe7koMrqnkj4qsPRFcUpvF0kYpNexkEfPA?testcase_id=5606599341375488 Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 4 2016
Yang, can you look at this? The problem is in your recent CL https://codereview.chromium.org/2197183002. I have a simple test file that reproduces on 1515ddd8f1558d898eae91b43e564cba62ced173: out/Debug/d8 --abort-on-uncaught-exception test.js where test.js contains: "use asm"; (function() { for (var i = 0; i < 100000; ++i) {} try { throw 666 } finally {} })(); Result: # # Fatal error in ../../src/objects.cc, line 13725 # Check failed: !is_optimized_code(). #
,
Aug 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/771b81f8062cdbfd1ef124909c2d6bb6f8af3084 commit 771b81f8062cdbfd1ef124909c2d6bb6f8af3084 Author: yangguo <yangguo@chromium.org> Date: Fri Aug 05 07:13:59 2016 [debug] fix exception prediction for asm frames. R=mstarzinger@chromium.org BUG= chromium:633999 Review-Url: https://codereview.chromium.org/2215713002 Cr-Commit-Position: refs/heads/master@{#38358} [modify] https://crrev.com/771b81f8062cdbfd1ef124909c2d6bb6f8af3084/src/isolate.cc [add] https://crrev.com/771b81f8062cdbfd1ef124909c2d6bb6f8af3084/test/mjsunit/regress/regress-crbug-633999.js
,
Aug 17 2016
Hi Yang, just tried this again and it still crashes, but in a different way:
Program received signal SIGILL, Illegal instruction.
v8::base::OS::Abort () at ../../src/base/platform/platform-posix.cc:230
230 V8_IMMEDIATE_CRASH();
(gdb) bt
#0 v8::base::OS::Abort () at ../../src/base/platform/platform-posix.cc:230
#1 0x00000000009e11f2 in v8::internal::Isolate::Throw (this=0x34b0fe0, exception=0x29a00000000,
location=0x7ffe8276f280) at ../../src/isolate.cc:1158
#2 0x00000000010f2311 in v8::internal::__RT_impl_Runtime_Throw (args=..., isolate=0x34b0fe0)
at ../../src/runtime/runtime-internal.cc:85
#3 0x00000000010f21a3 in v8::internal::Runtime_Throw (args_length=1, args_object=0x7ffe8276f3d8,
isolate=0x34b0fe0) at ../../src/runtime/runtime-internal.cc:82
#4 0x00001d988a5063a7 in ?? ()
...
,
Aug 17 2016
Nevermind, I guess this is the intended behavior... Closing this issue now. Thanks.
,
Aug 17 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 17 2016
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mstarzinger@chromium.org
, Aug 3 2016Owner: neis@chromium.org
Status: Assigned (was: Untriaged)