New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 642409 link

Starred by 2 users
Status: Fixed
Owner:
rmcilroy@chromium.org
Closed: Sep 2016
Cc:
sorvell@chromium.org
adamk@chromium.org
bmeu...@chromium.org
jarin@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug



Sign in to add a comment

Instance of ES6 subclass can be constructed with wrong prototype

Project Member Reported by kschaaf@chromium.org, Aug 30 2016 
Version: 55.0.2844.0 canary (64-bit)
OS: OSX 10.11.6 (15G31

What steps will reproduce the problem?
(1) Create class extending a super class
(2) Call a method of subclass from constructor after calling super()
(3) Loop creating many instances of the subclass

What is the expected output?

No errors.

What do you see instead?

It will eventually throw with "this.<method> is not a function". Inspecting the instance in the constructor will show its `__proto__` is from the super class, not the sub class.

Run the attached file for a reduced repro.
class-issue.html
499 bytes View Download

Comment 1 by kschaaf@chromium.org, Aug 30 2016 

Disabling "Experimental JavaScript Interpreter" in chrome://flags/#enable-ignition seems to fix the problem.

Comment 2 by adamk@chromium.org, Aug 30 2016

Components: Blink>JavaScript>Compiler
Labels: -Pri-3 OS-All Pri-1
Owner: rmcilroy@chromium.org
Status: Assigned (was: Untriaged)
Assigning to rmcilroy as this appears to be an Ignition-related bug.

Comment 3 by rmcilroy@chromium.org, Sep 5 2016

Labels: Proj-Ignition

Comment 4 by rmcilroy@chromium.org, Sep 6 2016

Status: Started (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Sep 6 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5712623226322944

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_be
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  args[1]->IsJSReceiver() in runtime-object.cc
  
Regressed: V8: r38356:38395

Minimized Testcase (0.27 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97YTKhoXYM2D_jbIVHxAhr5b1l65CkZjEjsZ5tAMPra2Cocu7StfSZbUdRrQh6-MgK9i1eqBrfpTlGzt7wNvFEEDY2Bt30rFsjRpg6OiHw__gAoqNCtGToiwWisQUu6Lk9eoL-dmHt7att_ZuKaZM3Y7woa4g?testcase_id=5712623226322944
var __v_21 = {};
try {
( {
})();
} catch(e) {; }
(function __f_9() {
  class Base {
  }
}());
(function __f_16() {
  class Base {
  }
  class Subclass1 extends Base {
    constructor() {
      __v_21 = 0;
      super();
    }
  }
  new Subclass1();
}());
(function __f_8() {
}());


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 6 by bugdroid1@chromium.org, Sep 6 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c95025601330103a1caa500c83cad956d71e0ca2

commit c95025601330103a1caa500c83cad956d71e0ca2
Author: rmcilroy <rmcilroy@chromium.org>
Date: Tue Sep 06 11:53:05 2016

[Turbofan] Fix CallSuper argument order in BytecodeGraphBuilder.

The constructor and new.target arguments were passed to CallConstruct in
the wrong order by BytecodeGraphBuilder, which caused subclassing to be
incorrect when optimizing from bytecode.

Also clean up some unecessary functions in interpreter.cc found while
figuring this out.

BUG= chromium:642409 

Review-Url: https://codereview.chromium.org/2312103002
Cr-Commit-Position: refs/heads/master@{#39204}

[modify] https://crrev.com/c95025601330103a1caa500c83cad956d71e0ca2/src/compiler/bytecode-graph-builder.cc
[modify] https://crrev.com/c95025601330103a1caa500c83cad956d71e0ca2/src/interpreter/interpreter.cc
[modify] https://crrev.com/c95025601330103a1caa500c83cad956d71e0ca2/src/interpreter/interpreter.h
[add] https://crrev.com/c95025601330103a1caa500c83cad956d71e0ca2/test/mjsunit/regress/regress-642409.js

Comment 7 by rmcilroy@chromium.org, Sep 6 2016

Status: Fixed (was: Started)

Sign in to add a comment