Fatal error in ../../v8/src/compiler/escape-analysis.cc, line 824 |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5991375880585216 Fuzzer: mbarbella_js_mutation Job Type: linux_v8_d8_be Platform Id: linux Crash Type: Fatal error Crash Address: Crash State: NULL Regressed: V8: r40855:40869 Minimized Testcase (0.33 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95ES1OsYMhmtsGGfVRi-XH7Uc7_UTRH5Xr3ZAf9FEjRF8vDWoF3X4GXGAhk7qRrF0cDTXzG10uoKQ7hUPXsIMAp6Yj159i7qu6R59Cc8bZl21JoAlioDUbmodqH24DNHx-AaH6cP8YY7Zi_fnCaJF66frXYhw?testcase_id=5991375880585216 var __v_7 = {}; function __f_1() { } __v_2 = 23; __v_1 = new Array(__v_2); function __f_0() { for (var __v_0 = 0; __v_0 < __v_2; __v_0++) { __v_1[__v_0] = new __f_1(); __v_1[__v_0].toString = __f_2; } } try { __f_0(); } catch(e) {"Caught: " + e; } function __f_23(f, expected) { f(); } __f_23(function __f_7() { __f_0(); }); Issue manually filed by: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 29 2016
,
Nov 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/d6752d94a8c854accb776f185a5f7d683849355a commit d6752d94a8c854accb776f185a5f7d683849355a Author: bmeurer <bmeurer@chromium.org> Date: Tue Nov 29 13:13:27 2016 [turbofan] Teach escape analysis about ConvertTaggedHoleToUndefined. The EscapeStatusAnalysis didn't know anything about the simplified operator ConvertTaggedHoleToUndefined, thus leading to a crash. We now just handled it by pretending that any allocation that goes into such a node escapes. BUG= chromium:669451 R=tebbi@chromium.org Review-Url: https://codereview.chromium.org/2533263002 Cr-Commit-Position: refs/heads/master@{#41359} [modify] https://crrev.com/d6752d94a8c854accb776f185a5f7d683849355a/src/compiler/escape-analysis.cc [add] https://crrev.com/d6752d94a8c854accb776f185a5f7d683849355a/test/mjsunit/regress/regress-crbug-669451.js
,
Nov 29 2016
,
Nov 30 2016
ClusterFuzz has detected this issue as fixed in range 41343:41366. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5991375880585216 Fuzzer: mbarbella_js_mutation Job Type: linux_v8_d8_be Platform Id: linux Crash Type: Fatal error Crash Address: Crash State: NULL Regressed: V8: r40855:40869 Fixed: V8: r41343:41366 Minimized Testcase (0.33 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95ES1OsYMhmtsGGfVRi-XH7Uc7_UTRH5Xr3ZAf9FEjRF8vDWoF3X4GXGAhk7qRrF0cDTXzG10uoKQ7hUPXsIMAp6Yj159i7qu6R59Cc8bZl21JoAlioDUbmodqH24DNHx-AaH6cP8YY7Zi_fnCaJF66frXYhw?testcase_id=5991375880585216 var __v_7 = {}; function __f_1() { } __v_2 = 23; __v_1 = new Array(__v_2); function __f_0() { for (var __v_0 = 0; __v_0 < __v_2; __v_0++) { __v_1[__v_0] = new __f_1(); __v_1[__v_0].toString = __f_2; } } try { __f_0(); } catch(e) {"Caught: " + e; } function __f_23(f, expected) { f(); } __f_23(function __f_7() { __f_0(); }); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||
►
Sign in to add a comment |
|||
Comment 1 by mstarzinger@chromium.org
, Nov 29 2016Components: Blink>JavaScript>Compiler
Status: Available (was: Untriaged)
Summary: Fatal error in ../../v8/src/compiler/escape-analysis.cc, line 824 (was: <no crash state available>)