New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 676878 link

Starred by 2 users
Status: Verified
Owner:
hpayer@chromium.org
Last visit > 30 days ago
Closed: Jan 2017
Cc:
mlippautz@chromium.org
jgruber@chromium.org
hpayer@chromium.org
epertoso@chromium.org
u...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug



Sign in to add a comment

Marking::IsBlack(ObjectMarking::MarkBitFrom(object)) in mark-compact.cc

Project Member Reported by ClusterFuzz, Dec 24 2016

Comment 1 by erikc...@chromium.org, Dec 27 2016

Components: Blink>JavaScript

Comment 2 by msrchandra@chromium.org, Dec 28 2016

Cc: mlippautz@chromium.org machenb...@chromium.org
Labels: Test-Predator-Wrong
Find it, CL and Code Search did not provide any possible suspects.
Adding related Devs in Cc.
Could some one please look into the issue and update.
Thank You.

Comment 3 by machenb...@chromium.org, Dec 28 2016

Cc: -machenb...@chromium.org epertoso@chromium.org hpayer@chromium.org jgruber@chromium.org
Labels: Performance-Memory
Hmm, this should go to our memory triage.

https://github.com/v8/v8/wiki/Triaging-issues

Comment 4 by ishell@chromium.org, Jan 4 2017

Cc: u...@chromium.org
Owner: jochen@chromium.org
Status: Assigned (was: Untriaged)
Assigning to current Memory Sheriff for triaging.

Comment 5 by mlippautz@chromium.org, Jan 4 2017 

fyi: This could either be black allocation (likely) or wrapper tracing (more unlikely but still possible).

Flags to try on the repro
--disable-blink-features=TraceWrappables 
and another run with
--js-flags=--no-black-allocation

Comment 6 by mlippautz@chromium.org, Jan 4 2017 

fyi: Reproduced on mac with --disable-blink-features=TraceWrappables (checked object groups using --trace-object-groups), which makes it most-likely a black allocation issue.

Comment 7 by mlippautz@chromium.org, Jan 4 2017 

I couldn't reproduce with --js-flags=--no-black-allocation. It's either directly or indirectly (timing) related to black allocation.

Comment 8 by jochen@chromium.org, Jan 4 2017

Owner: hpayer@chromium.org
thanks!

that makes Hannes the proud new owner of a fresh CF issue :)

Comment 9 by hpayer@chromium.org, Jan 9 2017

Status: Started (was: Assigned)
Project Member

Comment 10 by ClusterFuzz, Jan 13 2017 

ClusterFuzz has detected this issue as fixed in range 443393:443475.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5773399923359744

Fuzzer: meacer_chromebot_extensions
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Marking::IsBlack(ObjectMarking::MarkBitFrom(object)) in mark-compact.cc
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=440663:440664
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=443393:443475

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94LX6__20wmkhwQB9lRCZRns7STjd9rl5tYMFQ5MQOHwSQrRDSELEZe6F2YWjuh5n_y1CTJHlpw_rz9_uhIOZs2ykDVmWawdmOqkFN9HtrYsXlOcW7aU4kuRuEBzAe1duxOil4HTBRCD0gJPw1Dlo-NCXY5BQjp9NRnDsrfgG7oIjgJa3o?testcase_id=5773399923359744


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 11 by ClusterFuzz, Jan 13 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5773399923359744 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment