InsideSameDominatorChain(block, data->minimum_block_) in scheduler.cc |
||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4785369121030144 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: InsideSameDominatorChain(block, data->minimum_block_) in scheduler.cc Regressed: V8: r40853:40854 Minimized Testcase (0.27 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-kZADYVcVX3a7mI4pAJ9a4e6cK0FomqNfss_w87rgxIqwv-ZNiuD51mEVsQSukVvZTqLxp6gVb577JVY1PnhlmDcEZ_lMiFdLn2Rp7SUeWe3KouXWEA40QjXFZJbnF19KBjogIRVXvUtnqM_RzffwIFmRQ?testcase_id=4785369121030144 function __f_3(x) { this.x = x; } function __f_4() { var __v_3 = new __f_3(1), __v_5 = new __f_3(2); for (var __v_4 = 0; __v_4 < 1; __v_4++) { __v_3.x += __v_5.x; } __v_4, function() {__v_4; }; } __f_4(); __f_4(); %OptimizeFunctionOnNextCall(__f_4); __f_4(); Issue manually filed by: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/abd63018d7db329b3e702c01799d5136d600bcfa commit abd63018d7db329b3e702c01799d5136d600bcfa Author: tebbi <tebbi@chromium.org> Date: Tue Dec 20 10:30:52 2016 [turbofan] fixed escape analysis bug: missing copy of virtual state R=jarin@chromium.org BUG= chromium:673243 Review-Url: https://codereview.chromium.org/2578133002 Cr-Commit-Position: refs/heads/master@{#41848} [modify] https://crrev.com/abd63018d7db329b3e702c01799d5136d600bcfa/src/compiler/escape-analysis.cc [add] https://crrev.com/abd63018d7db329b3e702c01799d5136d600bcfa/test/mjsunit/compiler/escape-analysis-framestate-use-at-branchpoint.js
,
Dec 21 2016
ClusterFuzz has detected this issue as fixed in range 41847:41848. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4785369121030144 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: InsideSameDominatorChain(block, data->minimum_block_) in scheduler.cc Regressed: V8: r40853:40854 Fixed: V8: r41847:41848 Minimized Testcase (0.27 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-kZADYVcVX3a7mI4pAJ9a4e6cK0FomqNfss_w87rgxIqwv-ZNiuD51mEVsQSukVvZTqLxp6gVb577JVY1PnhlmDcEZ_lMiFdLn2Rp7SUeWe3KouXWEA40QjXFZJbnF19KBjogIRVXvUtnqM_RzffwIFmRQ?testcase_id=4785369121030144 function __f_3(x) { this.x = x; } function __f_4() { var __v_3 = new __f_3(1), __v_5 = new __f_3(2); for (var __v_4 = 0; __v_4 < 1; __v_4++) { __v_3.x += __v_5.x; } __v_4, function() {__v_4; }; } __f_4(); __f_4(); %OptimizeFunctionOnNextCall(__f_4); __f_4(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 21 2016
ClusterFuzz testcase 4785369121030144 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||
►
Sign in to add a comment |
||
Comment 1 by ishell@chromium.org
, Dec 12 2016Owner: tebbi@chromium.org
Status: Assigned (was: Untriaged)