variable->is_this() && variable->mode() == CONST && op == Token::INIT in bytecod |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5961478224216064 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: variable->is_this() && variable->mode() == CONST && op == Token::INIT in bytecod Regressed: V8: r40478:40479 Minimized Testcase (8.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96fjAvmJoaZorr4YErytgJM363PnXVHXZ6dPnIAtDVkUN_cZ7PvQZcMkVSoRDo3D6-rAjMInNtkzQGlDov5kkHpKJvGBiEUUPcKNH-hByFXFQ3mkWWKtBxMvAnSVlcqyTlM1AWlJpzvigeDpH5eaaIfDVu2gg?testcase_id=5961478224216064 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 24 2016
Looks like this regressed at r40479 "[ignition] Eliminate hole checks where statically possible for loads and store". Adam could you take a look please. es
,
Oct 24 2016
Minimized repro:
eval("var x = 1");
const x = 2;
,
Oct 24 2016
FWIW I think this is "just" a wrong assumption, the generated code should still work correctly.
,
Oct 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/56626f302d7d29f05ca19cf6d79666c9aabceca7 commit 56626f302d7d29f05ca19cf6d79666c9aabceca7 Author: adamk <adamk@chromium.org> Date: Tue Oct 25 11:07:33 2016 [ignition] Use more-targeted check for CONST-this-initialization hole check This brings the BytecodeGenerator in line with FullCodeGenerator, now that more requests for hole checks are flowing through BuildVariableAssignment. BUG= chromium:658528 Review-Url: https://codereview.chromium.org/2447783002 Cr-Commit-Position: refs/heads/master@{#40557} [modify] https://crrev.com/56626f302d7d29f05ca19cf6d79666c9aabceca7/src/interpreter/bytecode-generator.cc [add] https://crrev.com/56626f302d7d29f05ca19cf6d79666c9aabceca7/test/mjsunit/regress/regress-crbug-658528.js
,
Oct 25 2016
,
Oct 26 2016
ClusterFuzz has detected this issue as fixed in range 40556:40557. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5961478224216064 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: variable->is_this() && variable->mode() == CONST && op == Token::INIT in bytecod Regressed: V8: r40478:40479 Fixed: V8: r40556:40557 Minimized Testcase (8.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96fjAvmJoaZorr4YErytgJM363PnXVHXZ6dPnIAtDVkUN_cZ7PvQZcMkVSoRDo3D6-rAjMInNtkzQGlDov5kkHpKJvGBiEUUPcKNH-hByFXFQ3mkWWKtBxMvAnSVlcqyTlM1AWlJpzvigeDpH5eaaIfDVu2gg?testcase_id=5961478224216064 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by hablich@chromium.org
, Oct 24 2016Status: Available (was: Untriaged)