length == previously_materialized_objects->length() in deoptimizer.cc |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6169303381704704 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: length == previously_materialized_objects->length() in deoptimizer.cc Regressed: V8: r41257:41258 Minimized Testcase (5.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95wc3IE428nV0fPrQlvi5nCKN6iv_r9rBrZWeGgiUg4D1WzKWC2ItDbqV9AF0gdA9fdW8U9WLglwDz3MRsaJit3dms_PXE7aFDRPuZ-ntIe0YRMG9W-3hn1PSjLYlIOJ4VuDhTEcDTWtQ_NuusWSxjCoLiJYA?testcase_id=6169303381704704 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 28 2016
Crash while {Accessors::FunctionArguments} uses the deoptimizer translation. Might be related to OSR, but could as well be a red herring. I will investigate. Reduces repro ...
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --ignition
function g() {
return g.arguments;
}
function f() {
for (var i = 0; i < 10; ++i) {
if (i == 5) %OptimizeOsr();
g([]);
g();
}
}
f();
,
Nov 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/204babf5a0389da311b573cbc254c5b4918ed668 commit 204babf5a0389da311b573cbc254c5b4918ed668 Author: mstarzinger <mstarzinger@chromium.org> Date: Tue Nov 29 11:34:07 2016 [deoptimizer] Fix deoptimization in {TranslatedState}. This ensures the deoptimization triggered due to materialization of objects by the {TranslatedState} works in conjunction with OSR. The optimized code used for OSR is not installed on the function, hence needs to be specified explicitly when requesting deoptimization for specific stack frames. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-668795 BUG= chromium:668795 Review-Url: https://codereview.chromium.org/2534143002 Cr-Commit-Position: refs/heads/master@{#41348} [modify] https://crrev.com/204babf5a0389da311b573cbc254c5b4918ed668/src/accessors.cc [modify] https://crrev.com/204babf5a0389da311b573cbc254c5b4918ed668/src/deoptimizer.cc [modify] https://crrev.com/204babf5a0389da311b573cbc254c5b4918ed668/src/deoptimizer.h [modify] https://crrev.com/204babf5a0389da311b573cbc254c5b4918ed668/src/runtime/runtime-scopes.cc [add] https://crrev.com/204babf5a0389da311b573cbc254c5b4918ed668/test/mjsunit/regress/regress-crbug-668795.js
,
Nov 29 2016
,
Nov 30 2016
ClusterFuzz has detected this issue as fixed in range 41347:41348. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6169303381704704 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: length == previously_materialized_objects->length() in deoptimizer.cc Regressed: V8: r41257:41258 Fixed: V8: r41347:41348 Minimized Testcase (5.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95wc3IE428nV0fPrQlvi5nCKN6iv_r9rBrZWeGgiUg4D1WzKWC2ItDbqV9AF0gdA9fdW8U9WLglwDz3MRsaJit3dms_PXE7aFDRPuZ-ntIe0YRMG9W-3hn1PSjLYlIOJ4VuDhTEcDTWtQ_NuusWSxjCoLiJYA?testcase_id=6169303381704704 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||
►
Sign in to add a comment |
|||
Comment 1 by mstarzinger@chromium.org
, Nov 28 2016Status: Available (was: Untriaged)