Crash in v8::internal::Factory::NewTypeError |
||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6338268952264704 Fuzzer: mbarbella_js_mutation Job Type: linux_v8_d8_be Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: v8::internal::Factory::NewTypeError v8::internal::Runtime_ThrowCalledNonCallable v8::internal::Invoke Regressed: V8: r39289:39298 Minimized Testcase (0.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ZQjJaILZhrJaaBgxJ9x-6ml8YFlTQjkbZ-aQjKxaiiO3HNH8iRnU4HqeDuRxx75jIT3J3pJ9kB8er066qdTlD5tu6veZOZOmDUk_nphxgZHQZvf11PDOR9rdWLqMx7ViBPPC8W06TduE3A22r0efoaGH74w?testcase_id=6338268952264704 Issue manually filed by: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 21 2016
Triggered by harmony tail calls and TurboFan trying to materialize the context constant from the frame in the gap move after ArchPrepareTailCall has been executed.
,
Sep 21 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/81f43429943aabcc9c970562c25f2725c6fc778f commit 81f43429943aabcc9c970562c25f2725c6fc778f Author: mstarzinger <mstarzinger@chromium.org> Date: Wed Sep 21 09:30:48 2016 [turbofan] Remove bogus constant materialization from frame. This removes an optimization from the code generator that tries to materialize certain constants (i.e. context and closure) from the stackframe when possible. This does not work with Harmony tail calls which are split into several instructions. There have already been numerous bugs in this optimization, it is too fragile in its current form. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-648539 BUG= chromium:648539 Review-Url: https://codereview.chromium.org/2357583003 Cr-Commit-Position: refs/heads/master@{#39583} [modify] https://crrev.com/81f43429943aabcc9c970562c25f2725c6fc778f/src/compiler/arm/code-generator-arm.cc [modify] https://crrev.com/81f43429943aabcc9c970562c25f2725c6fc778f/src/compiler/arm64/code-generator-arm64.cc [modify] https://crrev.com/81f43429943aabcc9c970562c25f2725c6fc778f/src/compiler/code-generator.cc [modify] https://crrev.com/81f43429943aabcc9c970562c25f2725c6fc778f/src/compiler/code-generator.h [modify] https://crrev.com/81f43429943aabcc9c970562c25f2725c6fc778f/src/compiler/ia32/code-generator-ia32.cc [modify] https://crrev.com/81f43429943aabcc9c970562c25f2725c6fc778f/src/compiler/mips/code-generator-mips.cc [modify] https://crrev.com/81f43429943aabcc9c970562c25f2725c6fc778f/src/compiler/mips64/code-generator-mips64.cc [modify] https://crrev.com/81f43429943aabcc9c970562c25f2725c6fc778f/src/compiler/ppc/code-generator-ppc.cc [modify] https://crrev.com/81f43429943aabcc9c970562c25f2725c6fc778f/src/compiler/s390/code-generator-s390.cc [modify] https://crrev.com/81f43429943aabcc9c970562c25f2725c6fc778f/src/compiler/x64/code-generator-x64.cc [modify] https://crrev.com/81f43429943aabcc9c970562c25f2725c6fc778f/src/compiler/x87/code-generator-x87.cc [add] https://crrev.com/81f43429943aabcc9c970562c25f2725c6fc778f/test/mjsunit/regress/regress-crbug-648539.js
,
Sep 21 2016
,
Sep 22 2016
ClusterFuzz has detected this issue as fixed in range 39580:39599. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6338268952264704 Fuzzer: mbarbella_js_mutation Job Type: linux_v8_d8_be Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: v8::internal::Factory::NewTypeError v8::internal::Runtime_ThrowCalledNonCallable v8::internal::Invoke Regressed: V8: r39289:39298 Fixed: V8: r39580:39599 Minimized Testcase (0.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ZQjJaILZhrJaaBgxJ9x-6ml8YFlTQjkbZ-aQjKxaiiO3HNH8iRnU4HqeDuRxx75jIT3J3pJ9kB8er066qdTlD5tu6veZOZOmDUk_nphxgZHQZvf11PDOR9rdWLqMx7ViBPPC8W06TduE3A22r0efoaGH74w?testcase_id=6338268952264704 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 22 2016
Issue 640241 has been merged into this issue.
,
Sep 22 2016
Due to issue 640241 we probably want to merge this to M54 after it baked in Canary.
,
Sep 22 2016
Your change meets the bar and is auto-approved for M54 (branch: 2840)
,
Sep 22 2016
Please confirm whether this change is baked/verified in Canary and safe to merge?If yes, merge your change to M54 (branch: 2840) ASAP so that we could take this for next Beta Release.
,
Sep 23 2016
Merge to Beta channel makes sense.
,
Sep 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/ab8f744db4b84cb6da04f942697f01610c728058 commit ab8f744db4b84cb6da04f942697f01610c728058 Author: Michael Starzinger <mstarzinger@google.com> Date: Fri Sep 23 10:11:48 2016 Merged: [turbofan] Remove bogus constant materialization from frame. Revision: 81f43429943aabcc9c970562c25f2725c6fc778f BUG= chromium:648539 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=hablich@chromium.org Review URL: https://codereview.chromium.org/2369463002 . Cr-Commit-Position: refs/branch-heads/5.4@{#57} Cr-Branched-From: 5ce282769772d94937eb2cb88eb419a6890c8b2d-refs/heads/5.4.500@{#2} Cr-Branched-From: ad07b49d7b47b40a2d6f74d04d1b76ceae2a0253-refs/heads/master@{#38841} [modify] https://crrev.com/ab8f744db4b84cb6da04f942697f01610c728058/src/compiler/arm/code-generator-arm.cc [modify] https://crrev.com/ab8f744db4b84cb6da04f942697f01610c728058/src/compiler/arm64/code-generator-arm64.cc [modify] https://crrev.com/ab8f744db4b84cb6da04f942697f01610c728058/src/compiler/code-generator.cc [modify] https://crrev.com/ab8f744db4b84cb6da04f942697f01610c728058/src/compiler/code-generator.h [modify] https://crrev.com/ab8f744db4b84cb6da04f942697f01610c728058/src/compiler/ia32/code-generator-ia32.cc [modify] https://crrev.com/ab8f744db4b84cb6da04f942697f01610c728058/src/compiler/mips/code-generator-mips.cc [modify] https://crrev.com/ab8f744db4b84cb6da04f942697f01610c728058/src/compiler/mips64/code-generator-mips64.cc [modify] https://crrev.com/ab8f744db4b84cb6da04f942697f01610c728058/src/compiler/ppc/code-generator-ppc.cc [modify] https://crrev.com/ab8f744db4b84cb6da04f942697f01610c728058/src/compiler/s390/code-generator-s390.cc [modify] https://crrev.com/ab8f744db4b84cb6da04f942697f01610c728058/src/compiler/x64/code-generator-x64.cc [modify] https://crrev.com/ab8f744db4b84cb6da04f942697f01610c728058/src/compiler/x87/code-generator-x87.cc [add] https://crrev.com/ab8f744db4b84cb6da04f942697f01610c728058/test/mjsunit/regress/regress-crbug-648539.js
,
Sep 25 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 26 2016
,
Sep 26 2016
Issue 649225 has been merged into this issue.
,
Sep 27 2016
Issue 649301 has been merged into this issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by mstarzinger@chromium.org
, Sep 21 2016Status: Available (was: Untriaged)
Something is clobbering the context register along the call path. Haven't found the culprit yet. It is going through a whole slew of call builtin tail-calls. This is the current repro I am using: function f(fun) { "use strict"; return fun(0, 0); } var o = {}; o.__defineGetter__("foo", function() { return f(); }); o.foo();