New issue
Advanced search Search tips

Issue 654723 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Oct 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug

Blocking:
issue v8:5267



Sign in to add a comment

this->first()->IsSeqString() || this->first()->IsExternalString() in objects-deb

Project Member Reported by ClusterFuzz, Oct 11 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5836684157779968

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  this->first()->IsSeqString() || this->first()->IsExternalString() in objects-deb
  
Regressed: V8: r39539:39540

Minimized Testcase (5.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96nCwJPM_ZlMBRcGj6T1DPcGEGFzbSrrb9GIpc3ePcOeWc1mdcunV4SDVe00esmLHZKI02T3-DaW-oHt4TNR6DTAb3FuJ9PPz5wRD7JAKAEOeM6SluFoJJ_iQKZ2pJTnBYdfMFOxg3KSFBarmRmoz1KbhMKwQ?testcase_id=5836684157779968

Issue manually filed by: titzer

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by titzer@chromium.org, Oct 11 2016

Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)
Benedikt, can you take a look?

Bisects to https://chromium.googlesource.com/v8/v8/+log/0e03973047d33a93e8888bd4fe97330dbcf61a18..29dd7fc5ed2490947bd951efa7d49e54c41dfbdc?pretty=fuller
Blocking: v8:5267
Components: -Blink>JavaScript Blink>JavaScript>Compiler
Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Oct 12 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a4f37da86f428de5ee75a6a093416f35d5561150

commit a4f37da86f428de5ee75a6a093416f35d5561150
Author: bmeurer <bmeurer@chromium.org>
Date: Wed Oct 12 07:00:33 2016

[turbofan] Respect ConsString invariant.

For ConsString, the left hand side must be either sequential or external
if the right hand side is empty.

R=jarin@chromium.org
BUG= chromium:654723 
NOTRY=true

Review-Url: https://codereview.chromium.org/2410893003
Cr-Commit-Position: refs/heads/master@{#40192}

[modify] https://crrev.com/a4f37da86f428de5ee75a6a093416f35d5561150/src/compiler/js-typed-lowering.cc
[add] https://crrev.com/a4f37da86f428de5ee75a6a093416f35d5561150/test/mjsunit/regress/regress-crbug-654723.js

Project Member

Comment 4 by ClusterFuzz, Oct 13 2016

ClusterFuzz has detected this issue as fixed in range 40191:40192.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5836684157779968

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  this->first()->IsSeqString() || this->first()->IsExternalString() in objects-deb
  
Regressed: V8: r39539:39540
Fixed: V8: r40191:40192

Minimized Testcase (5.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96nCwJPM_ZlMBRcGj6T1DPcGEGFzbSrrb9GIpc3ePcOeWc1mdcunV4SDVe00esmLHZKI02T3-DaW-oHt4TNR6DTAb3FuJ9PPz5wRD7JAKAEOeM6SluFoJJ_iQKZ2pJTnBYdfMFOxg3KSFBarmRmoz1KbhMKwQ?testcase_id=5836684157779968

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Oct 13 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Cc: gov...@chromium.org hablich@chromium.org
Labels: Merge-Request-55

Comment 7 by dimu@chromium.org, Oct 14 2016

Labels: -Merge-Request-55 Merge-Approved-55 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M55 (branch: 2883)
Project Member

Comment 8 by bugdroid1@chromium.org, Oct 14 2016

Labels: merge-merged-5.5
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f8abba30232f9968997ea9cfc78d74a50a7abe8b

commit f8abba30232f9968997ea9cfc78d74a50a7abe8b
Author: Benedikt Meurer <bmeurer@google.com>
Date: Fri Oct 14 03:51:16 2016

Merged: [turbofan] Respect ConsString invariant.

Revision: a4f37da86f428de5ee75a6a093416f35d5561150

BUG= chromium:654723 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=jarin@chromium.org

Review URL: https://codereview.chromium.org/2415343002 .

Cr-Commit-Position: refs/branch-heads/5.5@{#12}
Cr-Branched-From: 3cbd5838bd8376103daa45d69dade929ee4e0092-refs/heads/5.5.372@{#1}
Cr-Branched-From: b3c8b0ce2c9af0528837d8309625118d4096553b-refs/heads/master@{#40015}

[modify] https://crrev.com/f8abba30232f9968997ea9cfc78d74a50a7abe8b/src/compiler/js-typed-lowering.cc
[add] https://crrev.com/f8abba30232f9968997ea9cfc78d74a50a7abe8b/test/mjsunit/regress/regress-crbug-654723.js

Comment 9 by gov...@chromium.org, Oct 14 2016

Labels: -Merge-Approved-55
Per comment #8, this is already merged to M55. So removing "Merge-Approved-55" label. 
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment