variable->IsContextSlot() || variable->IsStackAllocated() in bytecode-generator. |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4530365408739328 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: variable->IsContextSlot() || variable->IsStackAllocated() in bytecode-generator. Regressed: V8: r39580:39581 Minimized Testcase (8.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94H-f8WcRx1KwiCRfIny7LmAanUIRXSU6mQBVyWZAUSCpv4E1TvbqsCYCucplnY3qNONwPW7HczI_jvg0J4VTX91t-45LZIM1AA2rPGe5jE46mLhM0_JRhofFlQqwXo6G9mB2pqSBQizzyn2GRyjkWZ1Rqs_A?testcase_id=4530365408739328 Issue manually filed by: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 21 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4823532091736064 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: var->IsContextSlot() || var->IsStackAllocated() in full-codegen-arm.cc Regressed: V8: r39580:39581 Minimized Testcase (13.95 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96zK6moV87_NKgxh1VsUhZd6hiyRcdp-sfGO9xQ69wt7wAQoOgV5ttDheVCXTtouY3wTixc6TzlwG0nFwOSlGCs3cb1BI3RMNIrvwUOZlte9i3xzsvbjUnSuuHDQtIH-oNIY2e-WfYgzbymdg0yi88gmWNDEg?testcase_id=4823532091736064 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 21 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5166099287244800 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: var->IsContextSlot() || var->IsStackAllocated() in full-codegen-mips.cc Regressed: V8: r39580:39581 Minimized Testcase (7.47 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ig3MGgaSQnDgdPGS9TXQOy8uosCpGaRRwaD3lNY33Pg3ca7el6EVcshcxhyP98kabPR_drtbhFKlk7aFpC6WyiKgsom7HJR3TpktyHH7ttLo8M-IvoeBqZQiTrfjMx3jyc3SMsVePT1iXBvkI_PlXw9Zs4Q?testcase_id=5166099287244800 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 21 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5251885890273280 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: var->IsContextSlot() || var->IsStackAllocated() in full-codegen-arm64.cc Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95uZB64J0wEkSZQIwkwtkYDi2AhBYiJPkwD0HtndeQMvoPusdgLxmgyt6NGCxLvkxJhc4z6FNAj88k9dQHGzoAgZeoBRHUYBOjQJMC5BYok02ciHjV1J-T_UfACpHDIbX2lfFa9LWpAvPVeIR3yGgDFzZxsFQ?testcase_id=5251885890273280 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 22 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4697349240913920 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: var->IsContextSlot() || var->IsStackAllocated() in full-codegen-x64.cc Regressed: V8: r39580:39581 Minimized Testcase (8.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ynuIwooIO7_IQ5hD9Ddnjv9tMgIA5pQSXcwOP2p_H0p4QywCmU7Otx7utwolQPJIj5fv39dT5z_AeR3_cEMx0EF6DGpEvqUTNnHLUVTo7UIG6f-1drCYm8xlJILIGITpmSArGMjrf38y0Qsl_0po_jHDOjQ?testcase_id=4697349240913920 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 22 2016
Smaller repro:
out/x64.debug/d8 --predictable test.js
===== test.js =====
(function arguments() { return eval("42"); })();
,
Sep 22 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4633578640244736 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: args[3]->IsJSFunction() in runtime-scopes.cc Regressed: V8: r39580:39581 Minimized Testcase (6.88 Kb): https://cluster-fuzz.appspot.com/download/AMIfv970t1zT4pg-AEyY9hn5cMV377mVVVgTeNTA9C_lBZgT_alrDg992CTNeVtaT8e1DQFtzJ_dsI4bEhq6dEbsrLYK8Y1FKxMAgb9cC1O6Sg1YbVy2LOGA3jsHvvQZYKhpL-vr3hfIFMNy6J_qVmB1kx0SF_stfA?testcase_id=4633578640244736 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/df7ecd1c1a8acb6a8230b7a3524aef2d60803f14 commit df7ecd1c1a8acb6a8230b7a3524aef2d60803f14 Author: verwaest <verwaest@chromium.org> Date: Thu Sep 22 19:16:23 2016 Declare the arguments object before creating the function var, to make sure it masks it BUG= chromium:649067 Review-Url: https://codereview.chromium.org/2362463003 Cr-Commit-Position: refs/heads/master@{#39642} [modify] https://crrev.com/df7ecd1c1a8acb6a8230b7a3524aef2d60803f14/src/ast/scopes.cc [modify] https://crrev.com/df7ecd1c1a8acb6a8230b7a3524aef2d60803f14/src/parsing/parser.cc [add] https://crrev.com/df7ecd1c1a8acb6a8230b7a3524aef2d60803f14/test/mjsunit/regress/regress-649067.js
,
Sep 22 2016
,
Sep 23 2016
ClusterFuzz has detected this issue as fixed in range 39641:39642. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4530365408739328 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: variable->IsContextSlot() || variable->IsStackAllocated() in bytecode-generator. Regressed: V8: r39580:39581 Fixed: V8: r39641:39642 Minimized Testcase (8.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94H-f8WcRx1KwiCRfIny7LmAanUIRXSU6mQBVyWZAUSCpv4E1TvbqsCYCucplnY3qNONwPW7HczI_jvg0J4VTX91t-45LZIM1AA2rPGe5jE46mLhM0_JRhofFlQqwXo6G9mB2pqSBQizzyn2GRyjkWZ1Rqs_A?testcase_id=4530365408739328 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 23 2016
ClusterFuzz has detected this issue as fixed in range 39641:39642. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4823532091736064 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: var->IsContextSlot() || var->IsStackAllocated() in full-codegen-arm.cc Regressed: V8: r39580:39581 Fixed: V8: r39641:39642 Minimized Testcase (13.95 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96zK6moV87_NKgxh1VsUhZd6hiyRcdp-sfGO9xQ69wt7wAQoOgV5ttDheVCXTtouY3wTixc6TzlwG0nFwOSlGCs3cb1BI3RMNIrvwUOZlte9i3xzsvbjUnSuuHDQtIH-oNIY2e-WfYgzbymdg0yi88gmWNDEg?testcase_id=4823532091736064 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 23 2016
ClusterFuzz has detected this issue as fixed in range 39641:39642. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5166099287244800 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: var->IsContextSlot() || var->IsStackAllocated() in full-codegen-mips.cc Regressed: V8: r39580:39581 Fixed: V8: r39641:39642 Minimized Testcase (7.47 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ig3MGgaSQnDgdPGS9TXQOy8uosCpGaRRwaD3lNY33Pg3ca7el6EVcshcxhyP98kabPR_drtbhFKlk7aFpC6WyiKgsom7HJR3TpktyHH7ttLo8M-IvoeBqZQiTrfjMx3jyc3SMsVePT1iXBvkI_PlXw9Zs4Q?testcase_id=5166099287244800 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 23 2016
ClusterFuzz has detected this issue as fixed in range 39641:39642. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5251885890273280 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: var->IsContextSlot() || var->IsStackAllocated() in full-codegen-arm64.cc Regressed: V8: r39580:39581 Fixed: V8: r39641:39642 Minimized Testcase (6.33 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9468mX9vo3keiIHNMvDWzHmbTWu02EnHWKAGUCJ4dCimBYYGRS1W5KCdXWDyCZGc_GXdOEPwj1RkD1qIjrFBTH91Vs-gxb0HwsEqk03Lwm77M8LdB4oTS-jFlI4v1B9b0utwFD54c6_d6AMTL-j166CT-zQkg?testcase_id=5251885890273280 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 23 2016
ClusterFuzz has detected this issue as fixed in range 39641:39642. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4633578640244736 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: args[3]->IsJSFunction() in runtime-scopes.cc Regressed: V8: r39580:39581 Fixed: V8: r39641:39642 Minimized Testcase (6.88 Kb): https://cluster-fuzz.appspot.com/download/AMIfv970t1zT4pg-AEyY9hn5cMV377mVVVgTeNTA9C_lBZgT_alrDg992CTNeVtaT8e1DQFtzJ_dsI4bEhq6dEbsrLYK8Y1FKxMAgb9cC1O6Sg1YbVy2LOGA3jsHvvQZYKhpL-vr3hfIFMNy6J_qVmB1kx0SF_stfA?testcase_id=4633578640244736 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 23 2016
ClusterFuzz has detected this issue as fixed in range 39641:39642. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4697349240913920 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: var->IsContextSlot() || var->IsStackAllocated() in full-codegen-x64.cc Regressed: V8: r39580:39581 Fixed: V8: r39641:39642 Minimized Testcase (8.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ynuIwooIO7_IQ5hD9Ddnjv9tMgIA5pQSXcwOP2p_H0p4QywCmU7Otx7utwolQPJIj5fv39dT5z_AeR3_cEMx0EF6DGpEvqUTNnHLUVTo7UIG6f-1drCYm8xlJILIGITpmSArGMjrf38y0Qsl_0po_jHDOjQ?testcase_id=4697349240913920 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 23 2016
Issue 649669 has been merged into this issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by mstarzinger@chromium.org
, Sep 21 2016Owner: verwa...@chromium.org
Status: Assigned (was: Untriaged)