Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4866430597332992 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: pc_->Mask(ExceptionMask) == HLT in simulator-arm64.cc Regressed: V8: r41184:41185 Minimized Testcase (0.91 Kb): https://cluster-fuzz.appspot.com/download/AMIfv943JtQ6ZhMCvDN6yvJnt6wgzW9FDZFynKWm4vSMWSrISAEt1lpkeUEpK3Et6TKdj9unb2dZr6NBLt9wGOLHwW0sg0ETSjntzp_3E-1HN1XTthO6vUvhGHcSDsqvUoxbhpDE0IVufPVX5kryVnabJxH1rGGo4g?testcase_id=4866430597332992 Issue manually filed by: rossberg See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
@jkummerow, bisect points to your CL.
Ah, yes. AccessorInfo != AccessorPair. Thanks, ClusterFuzz! :-) Fix coming up: https://codereview.chromium.org/2525913002
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/2661b3e8a5447773a23a219ba085454c459b654b commit 2661b3e8a5447773a23a219ba085454c459b654b Author: jkummerow <jkummerow@chromium.org> Date: Wed Nov 23 13:27:03 2016 [stubs] Fix AccessorInfo mixup in KeyedStoreGeneric BUG= chromium:668101 Review-Url: https://codereview.chromium.org/2525913002 Cr-Commit-Position: refs/heads/master@{#41223} [modify] https://crrev.com/2661b3e8a5447773a23a219ba085454c459b654b/src/code-stub-assembler.h [modify] https://crrev.com/2661b3e8a5447773a23a219ba085454c459b654b/src/ic/keyed-store-generic.cc [add] https://crrev.com/2661b3e8a5447773a23a219ba085454c459b654b/test/mjsunit/regress/regress-crbug-668101.js
ClusterFuzz has detected this issue as fixed in range 41206:41207. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4866430597332992 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: pc_->Mask(ExceptionMask) == HLT in simulator-arm64.cc Regressed: V8: r41184:41185 Fixed: V8: r41206:41207 Minimized Testcase (0.91 Kb): https://cluster-fuzz.appspot.com/download/AMIfv943JtQ6ZhMCvDN6yvJnt6wgzW9FDZFynKWm4vSMWSrISAEt1lpkeUEpK3Et6TKdj9unb2dZr6NBLt9wGOLHwW0sg0ETSjntzp_3E-1HN1XTthO6vUvhGHcSDsqvUoxbhpDE0IVufPVX5kryVnabJxH1rGGo4g?testcase_id=4866430597332992 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e461facff2a5e349269f33b1619473ab01ae18eb commit e461facff2a5e349269f33b1619473ab01ae18eb Author: hablich <hablich@chromium.org> Date: Thu Nov 24 08:41:14 2016 Revert of [stubs] Fix AccessorInfo mixup in KeyedStoreGeneric (patchset #1 id:1 of https://codereview.chromium.org/2525913002/ ) Reason for revert: Needed to revert 2661b3e8a5447773a23a219ba085454c459b654b Original issue's description: > [stubs] Fix AccessorInfo mixup in KeyedStoreGeneric > > BUG= chromium:668101 > > Committed: https://crrev.com/2661b3e8a5447773a23a219ba085454c459b654b > Cr-Commit-Position: refs/heads/master@{#41223} TBR=ishell@chromium.org,jkummerow@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= chromium:668101 Review-Url: https://codereview.chromium.org/2525253002 Cr-Commit-Position: refs/heads/master@{#41250} [modify] https://crrev.com/e461facff2a5e349269f33b1619473ab01ae18eb/src/code-stub-assembler.h [modify] https://crrev.com/e461facff2a5e349269f33b1619473ab01ae18eb/src/ic/keyed-store-generic.cc [delete] https://crrev.com/a87d2529991abade25ed3f1d07d7bb46360a6010/test/mjsunit/regress/regress-crbug-668101.js
Comment 1 by rossberg@chromium.org
, Nov 23 2016Status: Assigned (was: Untriaged)