Crash in heap |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4517321113862144 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: heap GetHeap v8::internal::HandleBase::IsDereferenceAllowed Sanitizer: address (ASAN) Regressed: V8: r42014:42015 Minimized Testcase (0.76 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96rMhr5JZ5JkcV0fcArmAJWc_RPjgzolzx0YvYtAaBWrR6h3v2WWNChQinrfoQeXjUvUvtmtQCI7hR-t6UspyHc7fqPlg6qlVw7e2HvB0u0dnacEw8GkJQIps1UBip2k3GvPrO8_jPjeTpf5lpOChNpypod-pSvhoCwpMHwP4AETj8KF0HZawbnPOCC_SG78Agmny7brEOAaX0f1-_gG2bgtg8IxVid5vWr3jZA7-42Sy7x7u0zX8AVD-Ahw_iU-R_YlhD5kZPL3cjhNMmgOWmwYGnymdV_HbObkAWplCuAFUvauJQdbM8TCzhtKDHThkMPdVU09QDJddsRRwyLuxSohLTbPkJz5MyThQ1VB5dnf256wYlXVw_hehv0BH8E4c39hd4pWJ7GNy4nN6VPNIJVDGf7oA?testcase_id=4517321113862144 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 16 2017
Bug in LoadElimination::ReduceLoadField, ignoring the potentially different field_maps. Simplified repro:
==================================
// Flags: --allow-natives-syntax
var x = {};
x.__defineGetter__('0', () => 0);
x.a = {v: 1.51};
var y = {};
y.a = {u:"OK"};
function foo(o) { return o.a.u; }
foo(y);
foo(y);
foo(x);
%OptimizeFunctionOnNextCall(foo);
%DebugPrint(foo(x));
==================================
,
Jan 16 2017
Actually the bug is in PropertyAccessInfo::Merge().
,
Jan 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/64963e1b146fb457ad2bc331bbba7339e0d67987 commit 64963e1b146fb457ad2bc331bbba7339e0d67987 Author: bmeurer <bmeurer@chromium.org> Date: Mon Jan 16 11:47:47 2017 [turbofan] Don't merge PropertyAccessInfos with different field maps. BUG= chromium:679378 R=jarin@chromium.org Review-Url: https://codereview.chromium.org/2634953002 Cr-Commit-Position: refs/heads/master@{#42365} [modify] https://crrev.com/64963e1b146fb457ad2bc331bbba7339e0d67987/src/compiler/access-info.cc [add] https://crrev.com/64963e1b146fb457ad2bc331bbba7339e0d67987/test/mjsunit/regress/regress-crbug-679378.js
,
Jan 17 2017
ClusterFuzz has detected this issue as fixed in range 42364:42365. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4517321113862144 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: heap GetHeap v8::internal::HandleBase::IsDereferenceAllowed Sanitizer: address (ASAN) Regressed: V8: r42014:42015 Fixed: V8: r42364:42365 Minimized Testcase (0.76 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96rMhr5JZ5JkcV0fcArmAJWc_RPjgzolzx0YvYtAaBWrR6h3v2WWNChQinrfoQeXjUvUvtmtQCI7hR-t6UspyHc7fqPlg6qlVw7e2HvB0u0dnacEw8GkJQIps1UBip2k3GvPrO8_jPjeTpf5lpOChNpypod-pSvhoCwpMHwP4AETj8KF0HZawbnPOCC_SG78Agmny7brEOAaX0f1-_gG2bgtg8IxVid5vWr3jZA7-42Sy7x7u0zX8AVD-Ahw_iU-R_YlhD5kZPL3cjhNMmgOWmwYGnymdV_HbObkAWplCuAFUvauJQdbM8TCzhtKDHThkMPdVU09QDJddsRRwyLuxSohLTbPkJz5MyThQ1VB5dnf256wYlXVw_hehv0BH8E4c39hd4pWJ7GNy4nN6VPNIJVDGf7oA?testcase_id=4517321113862144 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 17 2017
|
|||
►
Sign in to add a comment |
|||
Comment 1 by ishell@chromium.org
, Jan 9 2017Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)