New issue
Advanced search Search tips

Issue 651613 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Oct 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

!var->has_forced_context_allocation() || var->is_used() in scopes.cc

Project Member Reported by ClusterFuzz, Sep 29 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6528596091076608

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !var->has_forced_context_allocation() || var->is_used() in scopes.cc
  
Regressed: V8: r39833:39834

Minimized Testcase (6.75 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94DQ9cOJ6LIDIJEtCBelU84DsYRMRDLGmrlVIeU8ILZ9caQfD6AQBRdHHG_bFIaHoqScAhhSaw6V5OrGBbxb8MoSALUBOgS2XevVrqI5f1KugiXcB_r21faevDr91vA37Tsi15UXL1XOZv8tTKNUZ93LCrCKg?testcase_id=6528596091076608

Issue manually filed by: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Components: Tools>Test>FindIt>WrongResult
Labels: Te-Logged
Owner: adamk@chromium.org
Status: Assigned (was: Untriaged)
Suspected CL:
https://chromium.googlesource.com/v8/v8/+/2028c0931ecb49ff2625710cade681681dd7ec1c%5E%21/src/ast/scopes.cc

adamk@, you introduced this check 
DCHECK(!var->has_forced_context_allocation() || var->is_used());
could you please take a look and help us to find correct owner if it is not related your changes.
Thanks in advance

Cc: adamk@chromium.org marja@chromium.org
Owner: verwa...@chromium.org
Regression range points to 375079b1678e7d605b34fdabb2c8adec5c2beb26.
Project Member

Comment 3 by bugdroid1@chromium.org, Oct 3 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9feab2d208f0cd16cee4a11e0ba3bebb8cf71179

commit 9feab2d208f0cd16cee4a11e0ba3bebb8cf71179
Author: verwaest <verwaest@chromium.org>
Date: Mon Oct 03 17:21:00 2016

Mark param as used when we force context allocation due to implement access through arguments

Currently the parameter is first parsed as a reference, and then translated into a parameter. The reference stays around though, and gets resolved to the parameter. That automatically creates a use. Now that I drop all unresolved references when we abort preparsing, that also drops the unresolved reference.

Instead, mark the variable as used when its marked as forced context allocation. That's what happens in almost all other cases.

This raises the question: does it really make sense to parse parameters this ways? It seems pretty generic, but neither fast nor memory-efficient ... Did I misunderstand something?

Just land if you think the CL looks good as is.

BUG= chromium:651613 

Review-Url: https://codereview.chromium.org/2386623002
Cr-Commit-Position: refs/heads/master@{#39935}

[modify] https://crrev.com/9feab2d208f0cd16cee4a11e0ba3bebb8cf71179/src/ast/scopes.cc
[add] https://crrev.com/9feab2d208f0cd16cee4a11e0ba3bebb8cf71179/test/mjsunit/regress/regress-abort-context-allocate-params.js

Project Member

Comment 4 by ClusterFuzz, Oct 4 2016

ClusterFuzz has detected this issue as fixed in range 39934:39935.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6528596091076608

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !var->has_forced_context_allocation() || var->is_used() in scopes.cc
  
Regressed: V8: r39833:39834
Fixed: V8: r39934:39935

Minimized Testcase (6.75 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94DQ9cOJ6LIDIJEtCBelU84DsYRMRDLGmrlVIeU8ILZ9caQfD6AQBRdHHG_bFIaHoqScAhhSaw6V5OrGBbxb8MoSALUBOgS2XevVrqI5f1KugiXcB_r21faevDr91vA37Tsi15UXL1XOZv8tTKNUZ93LCrCKg?testcase_id=6528596091076608

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Oct 4 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Components: -Tools>Test>FindIt>WrongResult
Labels: Test-Predator-Wrong
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment