Cyclic object state detected by escape analysis in escape-analysis-reducer.cc |
||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5846028312117248 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: Cyclic object state detected by escape analysis in escape-analysis-reducer.cc Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96R6kknQYlYTH1l9u88xBlUEWBSfBdmIAGHz5c2b-AMWfvwYZg8ca3JNwDmQbeOmUYmBOhp81nitjVjr_m6ThwbKYJf7xdyaNGpO3D8eYkTufjJ5CzpwCwH7LrrFfVcJb3GBNCSOmQoo3pEXWRnF1vsDFkReQ?testcase_id=5846028312117248 Issue manually filed by: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 27 2016
Copying simplified repro from another issue ...
function f() {
var o1 = { a:99, val:23 };
var o2 = { b:o1, val:42 };
o1.a = o2;
%DeoptimizeNow();
return o1.a.val + o2.b.val;
}
f();
f();
%OptimizeFunctionOnNextCall(f);
f();
,
Sep 27 2016
Issue 613923 has been merged into this issue.
,
Sep 27 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 27 2016
,
Oct 5 2016
ClusterFuzz has detected this issue as fixed in range 39970:39971. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5846028312117248 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: Cyclic object state detected by escape analysis in escape-analysis-reducer.cc Regressed: V8: r39613:39614 Fixed: V8: r39970:39971 Minimized Testcase (0.35 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95JT-SjJ05AbgnGsjyYgpid6H_MHoqouAgUR6hMDm60x-P26FoaTzGWNyxRGW-ScrDRi_Zo8lm-cN1xVd22gZyJPmoOrwDaCA8PlNUgUQPObdKZE2wMhxvQLd0BqRUE8NL0TrQviQ1uPIyGdrSb6xEylFRndQ?testcase_id=5846028312117248 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 5 2016
Issue 645741 has been merged into this issue.
,
Nov 15 2016
,
Nov 16 2016
Has been converted into a silent (non-crashing) bailout as of f71260b298654942f72f769d7fe281e341e2d2ef and should no longer happen on ClusterFuzz. Kudos got to Tobias. Follow-up work is tracked separately by issue v8:5634 . Marking this one as fixed.
,
Nov 16 2016
Very nice! Thanks Tobias! Let's turn on escape analysis after the branch cut :-)
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 28 2016
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by mstarzinger@chromium.org
, Sep 22 2016Components: -Blink>JavaScript Blink>JavaScript>Compiler
Labels: -Pri-1 Pri-2
Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)