unreachable in deoptimizer.cc |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4633325429063680 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: unreachable in deoptimizer.cc Sanitizer: address (ASAN) Regressed: V8: r41444:41445 Minimized Testcase (0.24 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95X6iyjjaHtsAJ_K7L7JTqOng5Mgnz8kXx2lrH7inliENIyOXBZBli1Aw78vJlRX4nyONtlVWLkJIF09LKnI_ihVlpnyx73_whO8SZWK0Obt7NAst-yD82bg2lpVV31oALiPgsOC--ifaYioINIZkmhYB-8tdfYpst345oJ0_RaLPIvoeCpwbKJZCrpRJ2qsFa2JXLd059moilot4RI9TeJyBMoMhH4_trrNPxtil0D2UEs7XrC3Yggvyyv8CXFcgSaJjgA1nSWSYYDY231uRq-Grnlqsf4m_CLE2s3QrqLZgx09raKg4VyDZ9bCq57riIieArc99EttWWSj2BwkrmiJe2MckioDGnMLy67zIm4CO-_aks?testcase_id=4633325429063680 function __f_7(count = 10000) { let array = Array(10000); for (let i = -8; i < 10012; ++i) { } array[5000] = 255; let it = array[Symbol.iterator](); for (let i = 0; i < count; ++i) { let result = it.next(); } } __f_7(-2); __f_7(); Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 16 2017
ClusterFuzz detected unhandled instance type, maybe that's the thing we're looking for?
,
Jan 17 2017
,
Jan 17 2017
,
Jan 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/9091eb19be52d695616dc76ad87c0217f7b5b2a0 commit 9091eb19be52d695616dc76ad87c0217f7b5b2a0 Author: jarin <jarin@chromium.org> Date: Wed Jan 18 10:55:22 2017 [deoptimizer] Materialize array iterators in the deoptimizer. This also introduces exhaustive switch-cases for instance types. BUG= chromium:681383 Review-Url: https://codereview.chromium.org/2646433002 Cr-Commit-Position: refs/heads/master@{#42447} [modify] https://crrev.com/9091eb19be52d695616dc76ad87c0217f7b5b2a0/src/deoptimizer.cc [modify] https://crrev.com/9091eb19be52d695616dc76ad87c0217f7b5b2a0/src/deoptimizer.h [add] https://crrev.com/9091eb19be52d695616dc76ad87c0217f7b5b2a0/test/mjsunit/regress/regress-681383.js
,
Jan 19 2017
ClusterFuzz has detected this issue as fixed in range 42446:42447. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4633325429063680 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: unreachable in deoptimizer.cc Sanitizer: address (ASAN) Regressed: V8: 41444:41445 Fixed: V8: 42446:42447 Minimized Testcase (0.24 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95X6iyjjaHtsAJ_K7L7JTqOng5Mgnz8kXx2lrH7inliENIyOXBZBli1Aw78vJlRX4nyONtlVWLkJIF09LKnI_ihVlpnyx73_whO8SZWK0Obt7NAst-yD82bg2lpVV31oALiPgsOC--ifaYioINIZkmhYB-8tdfYpst345oJ0_RaLPIvoeCpwbKJZCrpRJ2qsFa2JXLd059moilot4RI9TeJyBMoMhH4_trrNPxtil0D2UEs7XrC3Yggvyyv8CXFcgSaJjgA1nSWSYYDY231uRq-Grnlqsf4m_CLE2s3QrqLZgx09raKg4VyDZ9bCq57riIieArc99EttWWSj2BwkrmiJe2MckioDGnMLy67zIm4CO-_aks?testcase_id=4633325429063680 function __f_7(count = 10000) { let array = Array(10000); for (let i = -8; i < 10012; ++i) { } array[5000] = 255; let it = array[Symbol.iterator](); for (let i = 0; i < count; ++i) { let result = it.next(); } } __f_7(-2); __f_7(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 19 2017
,
Jan 19 2017
Please merge this to 5.7.
,
Jan 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/bd811fb71437114e20a8bd92ef38e8d51d7bb955 commit bd811fb71437114e20a8bd92ef38e8d51d7bb955 Author: Michael Hablich <hablich@chromium.org> Date: Thu Jan 19 14:15:41 2017 Several bug fixes which missed 5.7 Merged: [turbofan] Properly assign types to Array/String iterators. Revision: 977038516bbdd0427eacf8be4496e63b451f3ffe Merged: [deoptimizer] Materialize array iterators in the deoptimizer. Revision: 9091eb19be52d695616dc76ad87c0217f7b5b2a0 Merged: [turbofan] Lower JSLoadMessage/JSStoreMessage earlier. Revision: 2af52484cd8e16b1571b1ed760d2d043cf0169b7 BUG= chromium:681383 , v8:4586 ,v8:5448,v8:5448 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=bmeurer@chromium.org, jarin@chromium.org Review-Url: https://codereview.chromium.org/2640283002 . Cr-Commit-Position: refs/branch-heads/5.7@{#5} Cr-Branched-From: 975e9a320b6eaf9f12280c35df98e013beb8f041-refs/heads/5.7.492@{#1} Cr-Branched-From: 8d76f0e3465a84bbf0bceab114900fbe75844e1f-refs/heads/master@{#42426} [modify] https://crrev.com/bd811fb71437114e20a8bd92ef38e8d51d7bb955/src/compiler/access-builder.cc [modify] https://crrev.com/bd811fb71437114e20a8bd92ef38e8d51d7bb955/src/compiler/access-builder.h [modify] https://crrev.com/bd811fb71437114e20a8bd92ef38e8d51d7bb955/src/compiler/js-builtin-reducer.cc [modify] https://crrev.com/bd811fb71437114e20a8bd92ef38e8d51d7bb955/src/compiler/js-generic-lowering.cc [modify] https://crrev.com/bd811fb71437114e20a8bd92ef38e8d51d7bb955/src/compiler/js-operator.cc [modify] https://crrev.com/bd811fb71437114e20a8bd92ef38e8d51d7bb955/src/compiler/js-typed-lowering.cc [modify] https://crrev.com/bd811fb71437114e20a8bd92ef38e8d51d7bb955/src/compiler/js-typed-lowering.h [modify] https://crrev.com/bd811fb71437114e20a8bd92ef38e8d51d7bb955/src/deoptimizer.cc [modify] https://crrev.com/bd811fb71437114e20a8bd92ef38e8d51d7bb955/src/deoptimizer.h [add] https://crrev.com/bd811fb71437114e20a8bd92ef38e8d51d7bb955/test/mjsunit/regress/regress-681383.js
,
Jan 19 2017
Issue 681174 has been merged into this issue.
,
Jan 20 2017
Issue 682561 has been merged into this issue.
,
Jan 20 2017
Issue 682851 has been merged into this issue.
,
Jan 20 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by hablich@chromium.org
, Jan 16 2017Status: Assigned (was: Untriaged)