New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 680855 link

Starred by 1 user
Status: Fixed
Owner:
fran...@chromium.org
Last visit > 30 days ago
Closed: Feb 2017
Cc:
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Crash in v8::internal::compiler::AccessInfoFactory::ComputePropertyAccessInfo

Project Member Reported by ClusterFuzz, Jan 13 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5509005440188416

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x0000001c
Crash State:
  v8::internal::compiler::AccessInfoFactory::ComputePropertyAccessInfo
  v8::internal::compiler::JSNativeContextSpecialization::ReduceJSStoreDataProperty
  v8::internal::compiler::JSNativeContextSpecialization::Reduce
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=442831:443258

Minimized Testcase (0.24 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv953B1fQIHGoQ7nXeAqSUuf6ukXkDDxDB4OIzUyTvE1zPSRpdkQY04feZzraaBIVyFKDwYwltXL8fOQbuMVAT5VAbtUYh6GR4JOFQKFoTBYd4Co-XoiAOS1yRX_ixIQMpSstYuKODiQtA1Tz4bLbzrR2ThrUW6JxREchF5eKM0G885qkKnf97mYjeUkX8qB6Pkz6g5sHlxiJuAe-_3fIqQDXheZsGYpv2Hu2ldLHWYg2hO-xIz6qKbdhw_d9br7B1KO04RUYMU5M94yFPqkn9VEEkFcRMtda1EsvnL_VfhRhyIc4SnVNelZoYIB5vzwO8C2T-NxXZTK6uERXVAuL2jqTXm0svPEyJbOZJOl-CptoIfSvHCoYubr8aRX0keeMdicVNdo9QJCXeAyy77pH9uGQRfzAEQ?testcase_id=5509005440188416
try {
} catch(e) {"Caught: " + e; }
function __f_7() {
  class __v_5 { static foo() { return one + 6; } }
}
for (var __v_12 = 0; __v_12 < 5; ++__v_12) __f_7();
%OptimizeFunctionOnNextCall(__f_7);
gc();
__f_7();
  try {
  } catch (__v_6) {
  }


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Jan 13 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Correct-CLs
Owner: fran...@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Find it results --

The result is a list of CLs that change the crashed files. 

Author: franzih
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/088df4e13805b5a41bca3ed19030ff7c0c6f2df0
Time: Wed Jan 11 09:29:57 2017
Lines 287-288 of file access-info.cc which potentially caused crash are changed in this cl (frame #0, "v8::internal::compiler::AccessInfoFactory::ComputePropertyAccessInfo"). 

Lines 1291-1319 of file js-native-context-specialization.cc which potentially caused crash are changed in this cl (frame #1, "v8::internal::compiler::JSNativeContextSpecialization::ReduceJSStoreDataPropertyInLiteral").
Minimum distance from crash line to modified line: 0. (file: access-info.cc, crashed on: 287, modified: 28

@franzih -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by fran...@chromium.org, Feb 4 2017

Status: Fixed (was: Assigned)
This was fixed in https://chromium.googlesource.com/v8/v8.git/+/dd8881a5c406496427e4ba794b651af8ed3de213

Sign in to add a comment