New issue
Advanced search Search tips

Issue 668795 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

length == previously_materialized_objects->length() in deoptimizer.cc

Project Member Reported by ClusterFuzz, Nov 26 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6169303381704704

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  length == previously_materialized_objects->length() in deoptimizer.cc
  
Regressed: V8: r41257:41258

Minimized Testcase (5.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95wc3IE428nV0fPrQlvi5nCKN6iv_r9rBrZWeGgiUg4D1WzKWC2ItDbqV9AF0gdA9fdW8U9WLglwDz3MRsaJit3dms_PXE7aFDRPuZ-ntIe0YRMG9W-3hn1PSjLYlIOJ4VuDhTEcDTWtQ_NuusWSxjCoLiJYA?testcase_id=6169303381704704

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: bmeu...@chromium.org jarin@chromium.org
Status: Available (was: Untriaged)
Flushed out by shipping escape analysis. Needs investigation.
Cc: rmcilroy@chromium.org
Owner: mstarzinger@chromium.org
Status: Assigned (was: Available)
Crash while {Accessors::FunctionArguments} uses the deoptimizer translation. Might be related to OSR, but could as well be a red herring. I will investigate. Reduces repro ...

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --ignition

function g() {
  return g.arguments;
}

function f() {
  for (var i = 0; i < 10; ++i) {
    if (i == 5) %OptimizeOsr();
    g([]);
    g();
  }
}

f();
Project Member

Comment 3 by bugdroid1@chromium.org, Nov 29 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/204babf5a0389da311b573cbc254c5b4918ed668

commit 204babf5a0389da311b573cbc254c5b4918ed668
Author: mstarzinger <mstarzinger@chromium.org>
Date: Tue Nov 29 11:34:07 2016

[deoptimizer] Fix deoptimization in {TranslatedState}.

This ensures the deoptimization triggered due to materialization of
objects by the {TranslatedState} works in conjunction with OSR. The
optimized code used for OSR is not installed on the function, hence
needs to be specified explicitly when requesting deoptimization for
specific stack frames.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-668795
BUG= chromium:668795 

Review-Url: https://codereview.chromium.org/2534143002
Cr-Commit-Position: refs/heads/master@{#41348}

[modify] https://crrev.com/204babf5a0389da311b573cbc254c5b4918ed668/src/accessors.cc
[modify] https://crrev.com/204babf5a0389da311b573cbc254c5b4918ed668/src/deoptimizer.cc
[modify] https://crrev.com/204babf5a0389da311b573cbc254c5b4918ed668/src/deoptimizer.h
[modify] https://crrev.com/204babf5a0389da311b573cbc254c5b4918ed668/src/runtime/runtime-scopes.cc
[add] https://crrev.com/204babf5a0389da311b573cbc254c5b4918ed668/test/mjsunit/regress/regress-crbug-668795.js

Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Nov 30 2016

ClusterFuzz has detected this issue as fixed in range 41347:41348.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6169303381704704

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  length == previously_materialized_objects->length() in deoptimizer.cc
  
Regressed: V8: r41257:41258
Fixed: V8: r41347:41348

Minimized Testcase (5.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95wc3IE428nV0fPrQlvi5nCKN6iv_r9rBrZWeGgiUg4D1WzKWC2ItDbqV9AF0gdA9fdW8U9WLglwDz3MRsaJit3dms_PXE7aFDRPuZ-ntIe0YRMG9W-3hn1PSjLYlIOJ4VuDhTEcDTWtQ_NuusWSxjCoLiJYA?testcase_id=6169303381704704

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment