JSFunction::kCodeEntryOffset == FieldAccessOf(node->op()).offset in escape-analy |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4659829320974336 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: JSFunction::kCodeEntryOffset == FieldAccessOf(node->op()).offset in escape-analy Regressed: V8: r39539:39540 Minimized Testcase (0.15 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96_qJBjhMMH1J9c6FUqiLkVyQASx9oKfVPsdzmgGArzycijYso46bee91uBEENiv79tevc2_VPtzOTsisjoqp98_7tcmyfIN4KTnOCvzYLDxs022w_5JN-Tl3exeZSmT6pr4N8J8hDOjGqYhueLpAgIZwPPXw?testcase_id=4659829320974336 Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 21 2016
Yep, this is mine. Thanks. Related to escape analysis.
,
Sep 21 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b097c6c4f110f563c464c8ab498035ac19080801 commit b097c6c4f110f563c464c8ab498035ac19080801 Author: mstarzinger <mstarzinger@chromium.org> Date: Wed Sep 21 12:29:02 2016 [turbofan] Support for ConsString by escape analysis. This add support for ConsString objects allocated inline to the escape analysis pass. The raw hash field in such strings needs special handling similar to existing raw fields. This also contains materialization code within the deoptimizer as usual. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-648737 BUG= chromium:648737 Review-Url: https://codereview.chromium.org/2357153002 Cr-Commit-Position: refs/heads/master@{#39594} [modify] https://crrev.com/b097c6c4f110f563c464c8ab498035ac19080801/src/compiler/escape-analysis.cc [modify] https://crrev.com/b097c6c4f110f563c464c8ab498035ac19080801/src/deoptimizer.cc [add] https://crrev.com/b097c6c4f110f563c464c8ab498035ac19080801/test/mjsunit/regress/regress-crbug-648737.js
,
Sep 21 2016
,
Sep 22 2016
ClusterFuzz has detected this issue as fixed in range 39593:39594. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4659829320974336 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: JSFunction::kCodeEntryOffset == FieldAccessOf(node->op()).offset in escape-analy Regressed: V8: r39539:39540 Fixed: V8: r39593:39594 Minimized Testcase (0.15 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96_qJBjhMMH1J9c6FUqiLkVyQASx9oKfVPsdzmgGArzycijYso46bee91uBEENiv79tevc2_VPtzOTsisjoqp98_7tcmyfIN4KTnOCvzYLDxs022w_5JN-Tl3exeZSmT6pr4N8J8hDOjGqYhueLpAgIZwPPXw?testcase_id=4659829320974336 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 23 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mmohammad@chromium.org
, Sep 20 2016Status: Assigned (was: Untriaged)