Marking::IsBlack(ObjectMarking::MarkBitFrom(object)) in mark-compact.cc |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5773399923359744 Fuzzer: meacer_chromebot_extensions Job Type: mac_asan_chrome Platform Id: mac Crash Type: CHECK failure Crash Address: Crash State: Marking::IsBlack(ObjectMarking::MarkBitFrom(object)) in mark-compact.cc Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=440663:440664 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94LX6__20wmkhwQB9lRCZRns7STjd9rl5tYMFQ5MQOHwSQrRDSELEZe6F2YWjuh5n_y1CTJHlpw_rz9_uhIOZs2ykDVmWawdmOqkFN9HtrYsXlOcW7aU4kuRuEBzAe1duxOil4HTBRCD0gJPw1Dlo-NCXY5BQjp9NRnDsrfgG7oIjgJa3o?testcase_id=5773399923359744 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 28 2016
Find it, CL and Code Search did not provide any possible suspects. Adding related Devs in Cc. Could some one please look into the issue and update. Thank You.
,
Dec 28 2016
Hmm, this should go to our memory triage. https://github.com/v8/v8/wiki/Triaging-issues
,
Jan 4 2017
Assigning to current Memory Sheriff for triaging.
,
Jan 4 2017
fyi: This could either be black allocation (likely) or wrapper tracing (more unlikely but still possible). Flags to try on the repro --disable-blink-features=TraceWrappables and another run with --js-flags=--no-black-allocation
,
Jan 4 2017
fyi: Reproduced on mac with --disable-blink-features=TraceWrappables (checked object groups using --trace-object-groups), which makes it most-likely a black allocation issue.
,
Jan 4 2017
I couldn't reproduce with --js-flags=--no-black-allocation. It's either directly or indirectly (timing) related to black allocation.
,
Jan 4 2017
thanks! that makes Hannes the proud new owner of a fresh CF issue :)
,
Jan 9 2017
,
Jan 13 2017
ClusterFuzz has detected this issue as fixed in range 443393:443475. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5773399923359744 Fuzzer: meacer_chromebot_extensions Job Type: mac_asan_chrome Platform Id: mac Crash Type: CHECK failure Crash Address: Crash State: Marking::IsBlack(ObjectMarking::MarkBitFrom(object)) in mark-compact.cc Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=440663:440664 Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=443393:443475 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94LX6__20wmkhwQB9lRCZRns7STjd9rl5tYMFQ5MQOHwSQrRDSELEZe6F2YWjuh5n_y1CTJHlpw_rz9_uhIOZs2ykDVmWawdmOqkFN9HtrYsXlOcW7aU4kuRuEBzAe1duxOil4HTBRCD0gJPw1Dlo-NCXY5BQjp9NRnDsrfgG7oIjgJa3o?testcase_id=5773399923359744 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 13 2017
ClusterFuzz testcase 5773399923359744 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by erikc...@chromium.org
, Dec 27 2016