!var->has_forced_context_allocation() || var->is_used() in scopes.cc |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6528596091076608 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !var->has_forced_context_allocation() || var->is_used() in scopes.cc Regressed: V8: r39833:39834 Minimized Testcase (6.75 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94DQ9cOJ6LIDIJEtCBelU84DsYRMRDLGmrlVIeU8ILZ9caQfD6AQBRdHHG_bFIaHoqScAhhSaw6V5OrGBbxb8MoSALUBOgS2XevVrqI5f1KugiXcB_r21faevDr91vA37Tsi15UXL1XOZv8tTKNUZ93LCrCKg?testcase_id=6528596091076608 Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 30 2016
Regression range points to 375079b1678e7d605b34fdabb2c8adec5c2beb26.
,
Oct 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/9feab2d208f0cd16cee4a11e0ba3bebb8cf71179 commit 9feab2d208f0cd16cee4a11e0ba3bebb8cf71179 Author: verwaest <verwaest@chromium.org> Date: Mon Oct 03 17:21:00 2016 Mark param as used when we force context allocation due to implement access through arguments Currently the parameter is first parsed as a reference, and then translated into a parameter. The reference stays around though, and gets resolved to the parameter. That automatically creates a use. Now that I drop all unresolved references when we abort preparsing, that also drops the unresolved reference. Instead, mark the variable as used when its marked as forced context allocation. That's what happens in almost all other cases. This raises the question: does it really make sense to parse parameters this ways? It seems pretty generic, but neither fast nor memory-efficient ... Did I misunderstand something? Just land if you think the CL looks good as is. BUG= chromium:651613 Review-Url: https://codereview.chromium.org/2386623002 Cr-Commit-Position: refs/heads/master@{#39935} [modify] https://crrev.com/9feab2d208f0cd16cee4a11e0ba3bebb8cf71179/src/ast/scopes.cc [add] https://crrev.com/9feab2d208f0cd16cee4a11e0ba3bebb8cf71179/test/mjsunit/regress/regress-abort-context-allocate-params.js
,
Oct 4 2016
ClusterFuzz has detected this issue as fixed in range 39934:39935. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6528596091076608 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !var->has_forced_context_allocation() || var->is_used() in scopes.cc Regressed: V8: r39833:39834 Fixed: V8: r39934:39935 Minimized Testcase (6.75 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94DQ9cOJ6LIDIJEtCBelU84DsYRMRDLGmrlVIeU8ILZ9caQfD6AQBRdHHG_bFIaHoqScAhhSaw6V5OrGBbxb8MoSALUBOgS2XevVrqI5f1KugiXcB_r21faevDr91vA37Tsi15UXL1XOZv8tTKNUZ93LCrCKg?testcase_id=6528596091076608 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 4 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Sep 29 2016Labels: Te-Logged
Owner: adamk@chromium.org
Status: Assigned (was: Untriaged)