OpParameter<FrameStateInfo>(dummy_state).bailout_id().IsNone() in js-typed-lower |
||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5594535800602624 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: OpParameter<FrameStateInfo>(dummy_state).bailout_id().IsNone() in js-typed-lower Regressed: V8: r41208:41209 Minimized Testcase (3.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96YnKx2SAvjqLnH2i_8SFA1ehwtKhBBk0fwi9cJJM0A4hcf94ti5Ug4fZgP9jHFKqa3QLBVSzCRf6UCArxVZd_0XryCi_QrjQmFw_r6dA0P9Jf6Lkk6owhiBvXDFOxJfugX5UXk3PsnUL3i-UFQU8OHLIVxMw?testcase_id=5594535800602624 Issue manually filed by: rossberg See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 23 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6183005912825856 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !shared->HasBytecodeArray() in compiler.cc Regressed: V8: r41208:41209 Minimized Testcase (1.43 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95imCKeVWrU6Ssn8Gx4q4Fa7Qajq0pdy1d2NDaWyH_2LImQscNdNRIt11ZvV73lUxcAZRAGv6AhJqYn38AFPEPzhwRy98QCBmMx84pK5YXzgpRALSiXaNiGXRqZ_u6RR4DWWgL7NhC5o7YBBZ2bC-zL1kolQQ?testcase_id=6183005912825856 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 24 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/49ea60ef9d4a0659a3ff3ade356aacc29d65d586 commit 49ea60ef9d4a0659a3ff3ade356aacc29d65d586 Author: rmcilroy <rmcilroy@chromium.org> Date: Thu Nov 24 17:26:33 2016 [GC] Fix code flushing to use bytecode if it exists. If code is flushed on a SFI, we can still use the bytecode if it was compiled, since this never gets flushed. This fixes a DCHECK where we were trying to compile the bytecode multiple times after the baseline code was flushed. BUG= chromium:668133 Review-Url: https://codereview.chromium.org/2526243002 Cr-Commit-Position: refs/heads/master@{#41274} [modify] https://crrev.com/49ea60ef9d4a0659a3ff3ade356aacc29d65d586/src/heap/mark-compact.cc [modify] https://crrev.com/49ea60ef9d4a0659a3ff3ade356aacc29d65d586/src/objects-inl.h [modify] https://crrev.com/49ea60ef9d4a0659a3ff3ade356aacc29d65d586/test/cctest/heap/test-heap.cc
,
Nov 25 2016
ClusterFuzz has detected this issue as fixed in range 41273:41274. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6183005912825856 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !shared->HasBytecodeArray() in compiler.cc Regressed: V8: r41208:41209 Fixed: V8: r41273:41274 Minimized Testcase (1.43 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95imCKeVWrU6Ssn8Gx4q4Fa7Qajq0pdy1d2NDaWyH_2LImQscNdNRIt11ZvV73lUxcAZRAGv6AhJqYn38AFPEPzhwRy98QCBmMx84pK5YXzgpRALSiXaNiGXRqZ_u6RR4DWWgL7NhC5o7YBBZ2bC-zL1kolQQ?testcase_id=6183005912825856 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 25 2016
|
||
►
Sign in to add a comment |
||
Comment 1 by rossberg@chromium.org
, Nov 23 2016Status: Assigned (was: Untriaged)