Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6089444768874496 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !v8::internal::FLAG_enable_slow_asserts || (object->IsSmi()) in objects-inl.h Sanitizer: address (ASAN) Regressed: V8: r42333:42334 Minimized Testcase (0.37 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ho14BuISDjoE0lkpV8NxyRtCC3j1MTxia-wUHg-RiQjGfM0w9c8DTuFgRPznxMkX79S8w0OZhMLof957-Pa_adacpFBosPMsQIU7bDWo97uc_PrblONawk0rP6RgRqmWwvlWPiw74n4AGmRiw5MbXM0KcGJmOzkj4VqdyGOfFWzxj73f00whEZU_QFuuzNKSFXHr_4nqYVCSAoiTfLhrrIPTASDEp8mcv-lqgG-PqGBlb7Qoz_hNFEqS75b6UuwP26xNEDHA9jyeM9Htd7WgNjcdVtbJkx61uQWJFpAnrjjQqphgw_6FgPY-MKhhZeek-ssnj7cAy-CIg0Z-qVE3cSqzHjpEslaQArM4wqYZ7mxKgONA?testcase_id=6089444768874496 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Lot's of CF errors with that CL. Should we revert?
Will work on a fix now. Please keep if possible.
Issue 681304 has been merged into this issue.
Issue 681315 has been merged into this issue.
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9 commit c5948b9897fd3d2fe2cb670375eda59ff7aff0c9 Author: neis <neis@chromium.org> Date: Tue Jan 17 13:44:10 2017 [generators] Always call function with closure context when resuming. The resume trampolin used to call the generator function with the context of the last suspension rather than the closure's context. While that was fine for Ignition, Turbofan got utterly confused. With this CL, the resume trampolin always passes in the closure's context (like in the very first call of the generator function). The generator function itself then restores its previously current context by reading it from the generator object and doing a PushContext. BUG= chromium:681171 Review-Url: https://codereview.chromium.org/2639533002 Cr-Commit-Position: refs/heads/master@{#42407} [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/src/builtins/arm/builtins-arm.cc [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/src/builtins/arm64/builtins-arm64.cc [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/src/builtins/ia32/builtins-ia32.cc [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/src/builtins/mips/builtins-mips.cc [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/src/builtins/mips64/builtins-mips64.cc [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/src/builtins/ppc/builtins-ppc.cc [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/src/builtins/s390/builtins-s390.cc [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/src/builtins/x64/builtins-x64.cc [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/src/builtins/x87/builtins-x87.cc [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/src/compiler/js-intrinsic-lowering.cc [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/src/compiler/js-intrinsic-lowering.h [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/src/interpreter/bytecode-generator.cc [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/src/runtime/runtime-generator.cc [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/src/runtime/runtime.h [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/test/cctest/interpreter/bytecode_expectations/Generators.golden [modify] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/test/cctest/interpreter/bytecode_expectations/Modules.golden [add] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/test/mjsunit/regress/regress-681171-1.js [add] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/test/mjsunit/regress/regress-681171-2.js [add] https://crrev.com/c5948b9897fd3d2fe2cb670375eda59ff7aff0c9/test/mjsunit/regress/regress-681171-3.js
ClusterFuzz has detected this issue as fixed in range 42406:42407. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6089444768874496 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !v8::internal::FLAG_enable_slow_asserts || (object->IsSmi()) in objects-inl.h Sanitizer: address (ASAN) Regressed: V8: r42333:42334 Fixed: V8: r42406:42407 Minimized Testcase (0.37 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ho14BuISDjoE0lkpV8NxyRtCC3j1MTxia-wUHg-RiQjGfM0w9c8DTuFgRPznxMkX79S8w0OZhMLof957-Pa_adacpFBosPMsQIU7bDWo97uc_PrblONawk0rP6RgRqmWwvlWPiw74n4AGmRiw5MbXM0KcGJmOzkj4VqdyGOfFWzxj73f00whEZU_QFuuzNKSFXHr_4nqYVCSAoiTfLhrrIPTASDEp8mcv-lqgG-PqGBlb7Qoz_hNFEqS75b6UuwP26xNEDHA9jyeM9Htd7WgNjcdVtbJkx61uQWJFpAnrjjQqphgw_6FgPY-MKhhZeek-ssnj7cAy-CIg0Z-qVE3cSqzHjpEslaQArM4wqYZ7mxKgONA?testcase_id=6089444768874496 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by hablich@chromium.org
, Jan 16 2017Status: Assigned (was: Untriaged)