map == GetHeap()->fixed_array_map() || map == GetHeap()->fixed_cow_array_map() i |
|||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6357149234233344 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: map == GetHeap()->fixed_array_map() || map == GetHeap()->fixed_cow_array_map() i Regressed: V8: r38417:38418 Minimized Testcase (0.26 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95mDQe1l4vlG23zoihq193r9sOQ4vAoFD7zcv7QzSuYqdKO7p4YAEf3mGbbISONrUKgxXmBtjCfHiD8sgCZMV4b55SM7mkd0WCoQ0u75RK89t4s8Peuwl6kgoSVUCbXqq3LPjg9YWCpN1rfgiUONNJg_uqBSg?testcase_id=6357149234233344 var __v_9 = {}; function __f_5() { } function __f_9(a) { a.foo = 0; if (a.bar === undefined) { a[13] = 2.5; } a.foo = __v_9; } __f_9(new Array(5)); __f_9(new Array(5)); %OptimizeFunctionOnNextCall(__f_9); __f_9(new Array(5)); Issue manually filed by: nyerramilli See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 12 2016
,
Oct 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/edfe391ef57ef6d1e4a5ce44e20b8361112196a2 commit edfe391ef57ef6d1e4a5ce44e20b8361112196a2 Author: bmeurer <bmeurer@chromium.org> Date: Wed Oct 12 08:31:38 2016 [turbofan] Fix effect chain for polymorphic array access. We accidently dropped the effect on the floor that we have for the polymorphic map check in case of array elements access. BUG= chromium:655004 R=jarin@chromium.org Review-Url: https://codereview.chromium.org/2411273002 Cr-Commit-Position: refs/heads/master@{#40201} [modify] https://crrev.com/edfe391ef57ef6d1e4a5ce44e20b8361112196a2/src/compiler/js-native-context-specialization.cc [add] https://crrev.com/edfe391ef57ef6d1e4a5ce44e20b8361112196a2/test/mjsunit/regress/regress-crbug-655004.js
,
Oct 12 2016
,
Oct 13 2016
ClusterFuzz has detected this issue as fixed in range 40200:40201. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6357149234233344 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: map == GetHeap()->fixed_array_map() || map == GetHeap()->fixed_cow_array_map() i Regressed: V8: r38417:38418 Fixed: V8: r40200:40201 Minimized Testcase (0.26 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95mDQe1l4vlG23zoihq193r9sOQ4vAoFD7zcv7QzSuYqdKO7p4YAEf3mGbbISONrUKgxXmBtjCfHiD8sgCZMV4b55SM7mkd0WCoQ0u75RK89t4s8Peuwl6kgoSVUCbXqq3LPjg9YWCpN1rfgiUONNJg_uqBSg?testcase_id=6357149234233344 var __v_9 = {}; function __f_5() { } function __f_9(a) { a.foo = 0; if (a.bar === undefined) { a[13] = 2.5; } a.foo = __v_9; } __f_9(new Array(5)); __f_9(new Array(5)); %OptimizeFunctionOnNextCall(__f_9); __f_9(new Array(5)); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 13 2016
,
Oct 13 2016
,
Oct 13 2016
[Automated comment] Less than 2 weeks to go before stable on M54, manual review required.
,
Oct 13 2016
Your change meets the bar and is auto-approved for M55 (branch: 2883)
,
Oct 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/31e02fc4ab7a5a26b11ab9f38824230ddd77f91c commit 31e02fc4ab7a5a26b11ab9f38824230ddd77f91c Author: Benedikt Meurer <bmeurer@google.com> Date: Thu Oct 13 18:56:56 2016 Merged: [turbofan] Fix effect chain for polymorphic array access. Revision: edfe391ef57ef6d1e4a5ce44e20b8361112196a2 BUG= chromium:655004 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true TBR=jarin@chromium.org Review URL: https://codereview.chromium.org/2415183002 . Cr-Commit-Position: refs/branch-heads/5.5@{#8} Cr-Branched-From: 3cbd5838bd8376103daa45d69dade929ee4e0092-refs/heads/5.5.372@{#1} Cr-Branched-From: b3c8b0ce2c9af0528837d8309625118d4096553b-refs/heads/master@{#40015} [modify] https://crrev.com/31e02fc4ab7a5a26b11ab9f38824230ddd77f91c/src/compiler/js-native-context-specialization.cc [add] https://crrev.com/31e02fc4ab7a5a26b11ab9f38824230ddd77f91c/test/mjsunit/regress/regress-crbug-655004.js
,
Oct 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/31e02fc4ab7a5a26b11ab9f38824230ddd77f91c commit 31e02fc4ab7a5a26b11ab9f38824230ddd77f91c Author: Benedikt Meurer <bmeurer@google.com> Date: Thu Oct 13 18:56:56 2016 Merged: [turbofan] Fix effect chain for polymorphic array access. Revision: edfe391ef57ef6d1e4a5ce44e20b8361112196a2 BUG= chromium:655004 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true TBR=jarin@chromium.org Review URL: https://codereview.chromium.org/2415183002 . Cr-Commit-Position: refs/branch-heads/5.5@{#8} Cr-Branched-From: 3cbd5838bd8376103daa45d69dade929ee4e0092-refs/heads/5.5.372@{#1} Cr-Branched-From: b3c8b0ce2c9af0528837d8309625118d4096553b-refs/heads/master@{#40015} [modify] https://crrev.com/31e02fc4ab7a5a26b11ab9f38824230ddd77f91c/src/compiler/js-native-context-specialization.cc [add] https://crrev.com/31e02fc4ab7a5a26b11ab9f38824230ddd77f91c/test/mjsunit/regress/regress-crbug-655004.js
,
Oct 13 2016
Per comment #10 and #11, this is already merged to M55. So removing "Merge-Approved-55" label. Thank you.
,
Oct 18 2016
M54 is already in Stable (deployed to 5% of Win users). We are taking only CRITICAL merges. Could you please confirm the following. 1. Is this change verified in Canary and safe to merge? 2. Any impact on Stability/Performance/enterprise users? 3. How feasible is the revert in case of any breakage?
,
Oct 18 2016
+1 this is too close to Stable, feel free to push back if this is critical along with the questionaire above.
,
Oct 18 2016
,
Oct 19 2016
Please merge to 5.4. This is potentially breaking websites re #13 1.) yes 2.) good impact, likely breaking websites currently. 3.) Clicking the revert button. I am not sure what information you would expect ...? Please merge to 5.4
,
Oct 19 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/9ee144da7edf9e30d4b8885212895a14d6384150 commit 9ee144da7edf9e30d4b8885212895a14d6384150 Author: Michael Hablich <hablich@chromium.org> Date: Wed Oct 19 19:32:24 2016 Merged: Squashed multiple commits. Merged: [turbofan] Ensure that all prototypes are stable for push/pop. Revision: 4ed27fc836acfc3218a5e4ce6d878a513e9df788 Merged: [turbofan] Fix effect chain for polymorphic array access. Revision: edfe391ef57ef6d1e4a5ce44e20b8361112196a2 BUG= chromium:644689 , chromium:655004 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true TBR=bmeurer@chromium.org Review URL: https://codereview.chromium.org/2434893002 . Cr-Commit-Position: refs/branch-heads/5.4@{#69} Cr-Branched-From: 5ce282769772d94937eb2cb88eb419a6890c8b2d-refs/heads/5.4.500@{#2} Cr-Branched-From: ad07b49d7b47b40a2d6f74d04d1b76ceae2a0253-refs/heads/master@{#38841} [modify] https://crrev.com/9ee144da7edf9e30d4b8885212895a14d6384150/src/compiler/js-builtin-reducer.cc [modify] https://crrev.com/9ee144da7edf9e30d4b8885212895a14d6384150/src/compiler/js-native-context-specialization.cc [add] https://crrev.com/9ee144da7edf9e30d4b8885212895a14d6384150/test/mjsunit/regress/regress-crbug-644689-1.js [add] https://crrev.com/9ee144da7edf9e30d4b8885212895a14d6384150/test/mjsunit/regress/regress-crbug-644689-2.js [add] https://crrev.com/9ee144da7edf9e30d4b8885212895a14d6384150/test/mjsunit/regress/regress-crbug-655004.js
,
Oct 20 2016
,
Oct 20 2016
Updating label.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 8 2016
|
|||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||
Comment 1 by nyerramilli@chromium.org
, Oct 12 2016Components: Tools>Test>FindIt>NoResult
Labels: findit-wrong Te-Logged