New issue
Advanced search Search tips

Issue 644728 link

Starred by 1 user
Status: Fixed
Owner:
mstarzinger@chromium.org
Closed: Sep 2016
Cc:
jarin@chromium.org
rmcilroy@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

context != isolate_->heap()->arguments_marker() in deoptimizer.cc

Project Member Reported by ClusterFuzz, Sep 7 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4955405094748160

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  context != isolate_->heap()->arguments_marker() in deoptimizer.cc
  
Regressed: V8: r38716:38732

Minimized Testcase (0.12 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95xVyWudii0rkNJ1z5FJz9aiIwO6gwZmkt39rYpSeMkVJKdllks1194EWCgrr0JgRXRoCN0zMP9Gt6ltizrbf8R2LZyUcoq7T1dD6lS2mj91wfN5SE7GQElqESoflsqoOehpL4O9yuPpr3DZEh_xwA8z57PbQ?testcase_id=4955405094748160
try {
} catch(e) {; }
var __v_6 = 0;
function __f_6() {
  try {
    __f_6();
  } catch(e) {
      __v_6++;
  }
}
__f_6();


Issue manually filed by: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mstarzinger@chromium.org, Sep 7 2016

Cc: jarin@chromium.org rmcilroy@chromium.org
Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)
Missing support for dematerialized context in interpreted frames.
Project Member

Comment 2 by bugdroid1@chromium.org, Sep 7 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/279bc5096badf7a9f4134d433d8fd70d6d4a6f9c

commit 279bc5096badf7a9f4134d433d8fd70d6d4a6f9c
Author: mstarzinger <mstarzinger@chromium.org>
Date: Wed Sep 07 16:02:01 2016

[deoptimizer] Support virtual context in interpreted frame.

This adds support for dematerialized context values as part of an
interpreted frame (similar to an FCG frame). Both frame translations
should be kept in sync as much as possible.

R=rmcilroy@chromium.org
BUG= chromium:644728 

Review-Url: https://codereview.chromium.org/2313343002
Cr-Commit-Position: refs/heads/master@{#39256}

[modify] https://crrev.com/279bc5096badf7a9f4134d433d8fd70d6d4a6f9c/src/deoptimizer.cc
Project Member

Comment 3 by ClusterFuzz, Sep 8 2016 

ClusterFuzz has detected this issue as fixed in range 39231:39256.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4955405094748160

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  context != isolate_->heap()->arguments_marker() in deoptimizer.cc
  
Regressed: V8: r38716:38732
Fixed: V8: r39231:39256

Minimized Testcase (0.12 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95xVyWudii0rkNJ1z5FJz9aiIwO6gwZmkt39rYpSeMkVJKdllks1194EWCgrr0JgRXRoCN0zMP9Gt6ltizrbf8R2LZyUcoq7T1dD6lS2mj91wfN5SE7GQElqESoflsqoOehpL4O9yuPpr3DZEh_xwA8z57PbQ?testcase_id=4955405094748160
try {
} catch(e) {; }
var __v_6 = 0;
function __f_6() {
  try {
    __f_6();
  } catch(e) {
      __v_6++;
  }
}
__f_6();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 4 by mstarzinger@chromium.org, Sep 8 2016

Status: Fixed (was: Assigned)
This is fixed, follow-up work is tracked by  issue chromium:644245  separately.
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment