(STRING)==(type_) in ast-value-factory.h |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6661486564081664 Fuzzer: decoder_langfuzz Job Type: linux_msan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: (STRING)==(type_) in ast-value-factory.h Sanitizer: memory (MSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=443512:443569 Minimized Testcase (8.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96YOuwor0eGwHZNgva1P70bwncqgz1hybCw9sIcUuP9i4JZ5tpc3JEs5cn2AFEO3KYrTcfFZ7Y0WqKo0w6gzl_AbkfgrgvHxAPBBvEHOzzyzqwMADs9-gA1y-JqnIAvQ00iGVi_d5oHzhtilLcnDr5pZuBq4F6Blfz4YUI73wK5QoiFL_VObE0n2oOtGqVHjKALAPjGPKGGGnAIVpvsN6B_-MAw9i59j1QJBWtDdiqFIJ62siaLZfBhotqA6ZQqzcNTuaXAlRxzVfBjptIriCCaMlJpCwmU2IS86j06i4o5DK-B-vnYQl-Dy0tHHFaGgL_kXiBduAFQ43mPKQ8EIqMUMOPyFv85RDTvpFBQ2lVWRPYLIWQ?testcase_id=6661486564081664 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 18 2017
I don't think any of my changes could have caused this. Marja, would you mind taking a look? Feel free to assign back if it's something I can help with.
,
Jan 18 2017
Investigating; this reproes with plain d8.
In debug mode, there's this failure:
mutant7218_regress-670808.js
#
# Fatal error in ../../src/ast/ast.h, line 1212
# Check failed: IsPropertyName().
#
==== C stack trace ===============================
And in release mode, it's the one in the report. That failing DCHECK is guarding it:
const AstRawString* AsRawPropertyName() {
DCHECK(IsPropertyName());
return value_->AsString();
}
However, the bug report afaics doesn't contain the V8 bisect info so I'll need to bisect this manually.
,
Jan 18 2017
The culprit is this commit: commit f6929084821d4f021b2c2768c9856472ffa42623 Author: bradnelson <bradnelson@chromium.org> Date: Thu Jan 12 18:26:07 2017 -0800 [wasm][asm.js] Enable --validate-asm by default. This directs all asm.js traffic via the Wasm backend. Make asm.js console output less noisy. R=titzer@chromium.org,aseemgarg@chromium.org BUG= v8:4203 Review-Url: https://codereview.chromium.org/2624813002 Cr-Original-Original-Commit-Position: refs/heads/master@{#42194} Committed: https://chromium.googlesource.com/v8/v8/+/946cc371ed4b34d1a9f5cc615b14c41b652562ad Review-Url: https://codereview.chromium.org/2624813002 Cr-Original-Commit-Position: refs/heads/master@{#42244} Committed: https://chromium.googlesource.com/v8/v8/+/3169fb94c98953f002908974a606b51a35178046 Review-Url: https://codereview.chromium.org/2624813002 Cr-Commit-Position: refs/heads/master@{#42300}
,
Jan 18 2017
,
Jan 22 2017
ClusterFuzz has detected this issue as fixed in range 445281:445285. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6661486564081664 Fuzzer: decoder_langfuzz Job Type: linux_msan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: (STRING)==(type_) in ast-value-factory.h Sanitizer: memory (MSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=443512:443569 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=445281:445285 Minimized Testcase (8.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96YOuwor0eGwHZNgva1P70bwncqgz1hybCw9sIcUuP9i4JZ5tpc3JEs5cn2AFEO3KYrTcfFZ7Y0WqKo0w6gzl_AbkfgrgvHxAPBBvEHOzzyzqwMADs9-gA1y-JqnIAvQ00iGVi_d5oHzhtilLcnDr5pZuBq4F6Blfz4YUI73wK5QoiFL_VObE0n2oOtGqVHjKALAPjGPKGGGnAIVpvsN6B_-MAw9i59j1QJBWtDdiqFIJ62siaLZfBhotqA6ZQqzcNTuaXAlRxzVfBjptIriCCaMlJpCwmU2IS86j06i4o5DK-B-vnYQl-Dy0tHHFaGgL_kXiBduAFQ43mPKQ8EIqMUMOPyFv85RDTvpFBQ2lVWRPYLIWQ?testcase_id=6661486564081664 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 22 2017
ClusterFuzz testcase 6661486564081664 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mmohammad@chromium.org
, Jan 18 2017Status: Assigned (was: Untriaged)