Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6081148422979584 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: Fatal error Crash Address: Crash State: v8::internal::compiler::EscapeStatusAnalysis::CheckUsesForEscape v8::internal::compiler::EscapeStatusAnalysis::Process v8::internal::compiler::EscapeStatusAnalysis::RunStatusAnalysis Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=441046:441047 Minimized Testcase (1.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94m__u1TsvBLuGkS7SDKrvxXgAmFCT10E-BJJxLBtMrugI2bvG9WuMjNmkKmqliHGjLjt79PhDlCJbYD0Dul7xBE4ea89DbVMS8w-k2N3tWl-LpJRBCgma0MUxmaggFNuiBbeOVErYfaTFe0ZtA2qIgQw1x6Gr1QBQkj3TlNGVNji21mvuGcGRD6WAo5Nd_BN09gabjNXZKLrrKjtdv8l-5dz470Q0_u8ZcGmzxSv-djb_X6_xn6lSWhHH9UbiJoRlX3HFHKSuG57K-U4yeSOCH6vj40dsB6o-4jGokTTnMSFuLkr10qklX7PyL3sO3ZwFgTG-Rs_B41UoCj_Ma5xHW2eej1QybT_923OeLSxHaJwXEO4dvoljzhAG9EU6EIk9LXN-UaQbGMKi2dPGvNCtMz-waaw?testcase_id=6081148422979584 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Still reproduces on TOT (#42058): out/x64.debug/d8 --turbo ~/Downloads/FUZZ-0-1.JS
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/5662f99b998a786ece73586375776ff15423d230 commit 5662f99b998a786ece73586375776ff15423d230 Author: tebbi <tebbi@chromium.org> Date: Wed Jan 04 12:01:38 2017 [turbofan] Teach escape analysis about StringCharAt R=bmeurer@chromium.org BUG= chromium:677757 Review-Url: https://codereview.chromium.org/2606383005 Cr-Commit-Position: refs/heads/master@{#42066} [modify] https://crrev.com/5662f99b998a786ece73586375776ff15423d230/src/compiler/escape-analysis.cc [add] https://crrev.com/5662f99b998a786ece73586375776ff15423d230/test/mjsunit/regress/regress-crbug-677757.js
Comment 1 by msrchandra@chromium.org
, Jan 2 2017Status: Available (was: Untriaged)