VariableLocation::PARAMETER == expr->obj()->AsVariableProxy()->var()->location() |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5438816367411200 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: VariableLocation::PARAMETER == expr->obj()->AsVariableProxy()->var()->location() Regressed: V8: r41514:41515 Minimized Testcase (7.70 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95pfI_v5eLMHnbUxuM8rznCG6b9qDz6tAjb-FpVOwNLGlrhrjHCU7TnZlHZeq6XaymcPp9UYTImrgo2W_cT6paiiLbxENVlLcX5i2yihobvJV32uD5NK8FSZnFo659Vv0Rvaqb5_mUa-43M3TR4uB9DhKnDpQ?testcase_id=5438816367411200 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 9 2017
Aseem, can you take a look at this one?
It looks like arguments being special ends up causing env to be from the context. This is probably just a matter of checking the same condition in the typer earlier.
This repros with the following:
function Module(stdlib, env, heap) {
"use asm";
var a = new stdlib.Int32Array(heap);
var b = new stdlib.Float32Array(heap);
var fround = stdlib.Math.fround;
var value = env.value|0;
function foo() {
var x = fround(0.0);
x = (a[0]=value|0,fround(b[0]));
return fround(x);
}
return arguments.length;
}
Module();
,
Jan 17 2017
,
May 30 2017
Should no longer happen with the new validator. I triggered a redo on ClusterFuzz.
,
Jun 8 2017
No longer applies to new validator. |
||||
►
Sign in to add a comment |
||||
Comment 1 by hablich@chromium.org
, Dec 22 2016Owner: bradnelson@chromium.org
Status: Assigned (was: Untriaged)