New issue
Advanced search Search tips

Issue 668133 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

OpParameter<FrameStateInfo>(dummy_state).bailout_id().IsNone() in js-typed-lower

Project Member Reported by ClusterFuzz, Nov 23 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5594535800602624

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  OpParameter<FrameStateInfo>(dummy_state).bailout_id().IsNone() in js-typed-lower
  
Regressed: V8: r41208:41209

Minimized Testcase (3.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96YnKx2SAvjqLnH2i_8SFA1ehwtKhBBk0fwi9cJJM0A4hcf94ti5Ug4fZgP9jHFKqa3QLBVSzCRf6UCArxVZd_0XryCi_QrjQmFw_r6dA0P9Jf6Lkk6owhiBvXDFOxJfugX5UXk3PsnUL3i-UFQU8OHLIVxMw?testcase_id=5594535800602624

Issue manually filed by: rossberg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Owner: rmcilroy@chromium.org
Status: Assigned (was: Untriaged)
Ross, bisects to your CL.
Project Member

Comment 2 by ClusterFuzz, Nov 23 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6183005912825856

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !shared->HasBytecodeArray() in compiler.cc
  
Regressed: V8: r41208:41209

Minimized Testcase (1.43 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95imCKeVWrU6Ssn8Gx4q4Fa7Qajq0pdy1d2NDaWyH_2LImQscNdNRIt11ZvV73lUxcAZRAGv6AhJqYn38AFPEPzhwRy98QCBmMx84pK5YXzgpRALSiXaNiGXRqZ_u6RR4DWWgL7NhC5o7YBBZ2bC-zL1kolQQ?testcase_id=6183005912825856

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 3 by bugdroid1@chromium.org, Nov 24 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/49ea60ef9d4a0659a3ff3ade356aacc29d65d586

commit 49ea60ef9d4a0659a3ff3ade356aacc29d65d586
Author: rmcilroy <rmcilroy@chromium.org>
Date: Thu Nov 24 17:26:33 2016

[GC] Fix code flushing to use bytecode if it exists.

If code is flushed on a SFI, we can still use the bytecode if it was compiled,
since this never gets flushed.

This fixes a DCHECK where we were trying to compile the bytecode multiple
times after the baseline code was flushed.

BUG= chromium:668133 

Review-Url: https://codereview.chromium.org/2526243002
Cr-Commit-Position: refs/heads/master@{#41274}

[modify] https://crrev.com/49ea60ef9d4a0659a3ff3ade356aacc29d65d586/src/heap/mark-compact.cc
[modify] https://crrev.com/49ea60ef9d4a0659a3ff3ade356aacc29d65d586/src/objects-inl.h
[modify] https://crrev.com/49ea60ef9d4a0659a3ff3ade356aacc29d65d586/test/cctest/heap/test-heap.cc

Project Member

Comment 4 by ClusterFuzz, Nov 25 2016

ClusterFuzz has detected this issue as fixed in range 41273:41274.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6183005912825856

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !shared->HasBytecodeArray() in compiler.cc
  
Regressed: V8: r41208:41209
Fixed: V8: r41273:41274

Minimized Testcase (1.43 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95imCKeVWrU6Ssn8Gx4q4Fa7Qajq0pdy1d2NDaWyH_2LImQscNdNRIt11ZvV73lUxcAZRAGv6AhJqYn38AFPEPzhwRy98QCBmMx84pK5YXzgpRALSiXaNiGXRqZ_u6RR4DWWgL7NhC5o7YBBZ2bC-zL1kolQQ?testcase_id=6183005912825856

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Status: Fixed (was: Assigned)

Sign in to add a comment