New issue
Advanced search Search tips

Issue 669451 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug

Blocking:
issue v8:5267



Sign in to add a comment

Fatal error in ../../v8/src/compiler/escape-analysis.cc, line 824

Project Member Reported by ClusterFuzz, Nov 29 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5991375880585216

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_be
Platform Id: linux

Crash Type: Fatal error
Crash Address: 
Crash State:
  NULL
Regressed: V8: r40855:40869

Minimized Testcase (0.33 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95ES1OsYMhmtsGGfVRi-XH7Uc7_UTRH5Xr3ZAf9FEjRF8vDWoF3X4GXGAhk7qRrF0cDTXzG10uoKQ7hUPXsIMAp6Yj159i7qu6R59Cc8bZl21JoAlioDUbmodqH24DNHx-AaH6cP8YY7Zi_fnCaJF66frXYhw?testcase_id=5991375880585216
var __v_7 = {};
function __f_1() {
}
__v_2 = 23;
__v_1 = new Array(__v_2);
function __f_0() {
  for (var __v_0 = 0; __v_0 < __v_2; __v_0++) {
    __v_1[__v_0] = new __f_1();
    __v_1[__v_0].toString = __f_2;
  }
}
try {
__f_0();
} catch(e) {"Caught: " + e; }
function __f_23(f, expected) {
 f();
}
__f_23(function __f_7() {
    __f_0();
});


Issue manually filed by: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: bmeu...@chromium.org tebbi@chromium.org mstarzinger@chromium.org
Components: Blink>JavaScript>Compiler
Status: Available (was: Untriaged)
Summary: Fatal error in ../../v8/src/compiler/escape-analysis.cc, line 824 (was: <no crash state available>)
Still reproduces on tip-of-tree. Hits an assertion in escape analysis due to "Encountered unaccounted use by #209 (ConvertTaggedHoleToUndefined)".
Blocking: v8:5267
Cc: -bmeu...@chromium.org
Labels: -OS-Linux OS-All
Owner: bmeu...@chromium.org
Status: Started (was: Available)
Project Member

Comment 3 by bugdroid1@chromium.org, Nov 29 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d6752d94a8c854accb776f185a5f7d683849355a

commit d6752d94a8c854accb776f185a5f7d683849355a
Author: bmeurer <bmeurer@chromium.org>
Date: Tue Nov 29 13:13:27 2016

[turbofan] Teach escape analysis about ConvertTaggedHoleToUndefined.

The EscapeStatusAnalysis didn't know anything about the simplified
operator ConvertTaggedHoleToUndefined, thus leading to a crash. We
now just handled it by pretending that any allocation that goes into
such a node escapes.

BUG= chromium:669451 
R=tebbi@chromium.org

Review-Url: https://codereview.chromium.org/2533263002
Cr-Commit-Position: refs/heads/master@{#41359}

[modify] https://crrev.com/d6752d94a8c854accb776f185a5f7d683849355a/src/compiler/escape-analysis.cc
[add] https://crrev.com/d6752d94a8c854accb776f185a5f7d683849355a/test/mjsunit/regress/regress-crbug-669451.js

Status: Fixed (was: Started)
Project Member

Comment 5 by ClusterFuzz, Nov 30 2016

ClusterFuzz has detected this issue as fixed in range 41343:41366.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5991375880585216

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_be
Platform Id: linux

Crash Type: Fatal error
Crash Address: 
Crash State:
  NULL
Regressed: V8: r40855:40869
Fixed: V8: r41343:41366

Minimized Testcase (0.33 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95ES1OsYMhmtsGGfVRi-XH7Uc7_UTRH5Xr3ZAf9FEjRF8vDWoF3X4GXGAhk7qRrF0cDTXzG10uoKQ7hUPXsIMAp6Yj159i7qu6R59Cc8bZl21JoAlioDUbmodqH24DNHx-AaH6cP8YY7Zi_fnCaJF66frXYhw?testcase_id=5991375880585216
var __v_7 = {};
function __f_1() {
}
__v_2 = 23;
__v_1 = new Array(__v_2);
function __f_0() {
  for (var __v_0 = 0; __v_0 < __v_2; __v_0++) {
    __v_1[__v_0] = new __f_1();
    __v_1[__v_0].toString = __f_2;
  }
}
try {
__f_0();
} catch(e) {"Caught: " + e; }
function __f_23(f, expected) {
 f();
}
__f_23(function __f_7() {
    __f_0();
});


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment