Crash in v8::internal::MemoryChunk::heap |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5151228154871808 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000038 Crash State: v8::internal::MemoryChunk::heap v8::internal::Map::IsBooleanMap v8::internal::compiler::CanInlinePropertyAccess Sanitizer: address (ASAN) Regressed: V8: 42516:42517 Minimized Testcase (0.19 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94g3Gv2ktHc68lpwSmMQm2Zz6eIKd1KiKvBFe_GRzE8HJtkoZ8yveKka53-8PvF_aQTaVfsdaKsBxTVXtcZLZF9HCTmUF0QXoGD4bXE_-xQF7Sp0YF5asuV7JDPO6aaCcrFRofELEYiDFqpNgfKg5Poj5kvlBV7Yjt6DGr6vNCQkQKFzt-gvdG4Q5OteyHOowWVvKxbIX22aHcT7D7WzNAVklhyM9jG6R50rK-OYG-DzEYUFU3y3ydVuE7mxPBdCqC8cSsmVResEFTH9qfJVaRpQcji5KYot7GntEHgBQvxJSQrYVIL1L6SNL6JAL1z4_vFofiZBrYCUF5mjHcEhq01nZC1Vk_dcxz1DWtWjP5ZwM4Pd8s?testcase_id=5151228154871808 function __f_2() { class __v_0 { static foo() { return one + 6; } } } for (var __v_7 = 0; __v_7 < 5; ++__v_7) __f_2(); %OptimizeFunctionOnNextCall(__f_2); gc(); __f_2(); function __f_4() { } Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 20 2017
HI Jochen, here is one of the new clusterfuzz bugs...
,
Jan 20 2017
Hi Jakob, this failure reproduces reliably with your CL https://codereview.chromium.org/2630233003 As you work to reland it, just run these as well to make sure. You don't need asan, btw.
,
Jan 20 2017
,
Jan 20 2017
Issue 682682 has been merged into this issue.
,
Jan 20 2017
Micheal, not sure if you meant that this issue is caused by my CL? I can also reproduce on its predecessor CL, bisecting now.
,
Jan 20 2017
Local bisect results: 55feaaea4c83bf72a409bb1ebde5b86c979d4d1c is the first bad commit commit 55feaaea4c83bf72a409bb1ebde5b86c979d4d1c Author: mvstanton <mvstanton@chromium.org> Date: Thu Jan 19 09:12:28 2017 -0800 Revert [TypeFeedbackVector] Root literal arrays in function literal slots
,
Jan 21 2017
ClusterFuzz has detected this issue as fixed in range 42547:42548. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5151228154871808 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000038 Crash State: v8::internal::MemoryChunk::heap v8::internal::Map::IsBooleanMap v8::internal::compiler::CanInlinePropertyAccess Sanitizer: address (ASAN) Regressed: V8: 42516:42517 Fixed: V8: 42547:42548 Minimized Testcase (0.19 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94g3Gv2ktHc68lpwSmMQm2Zz6eIKd1KiKvBFe_GRzE8HJtkoZ8yveKka53-8PvF_aQTaVfsdaKsBxTVXtcZLZF9HCTmUF0QXoGD4bXE_-xQF7Sp0YF5asuV7JDPO6aaCcrFRofELEYiDFqpNgfKg5Poj5kvlBV7Yjt6DGr6vNCQkQKFzt-gvdG4Q5OteyHOowWVvKxbIX22aHcT7D7WzNAVklhyM9jG6R50rK-OYG-DzEYUFU3y3ydVuE7mxPBdCqC8cSsmVResEFTH9qfJVaRpQcji5KYot7GntEHgBQvxJSQrYVIL1L6SNL6JAL1z4_vFofiZBrYCUF5mjHcEhq01nZC1Vk_dcxz1DWtWjP5ZwM4Pd8s?testcase_id=5151228154871808 function __f_2() { class __v_0 { static foo() { return one + 6; } } } for (var __v_7 = 0; __v_7 < 5; ++__v_7) __f_2(); %OptimizeFunctionOnNextCall(__f_2); gc(); __f_2(); function __f_4() { } See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 21 2017
ClusterFuzz testcase 4728001540653056 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 21 2017
Okay, sorry, there were 2 other bugs tagged to your CL and I guess I incorrectly triaged this one.
,
Jan 24 2017
No worries :) |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by rossberg@chromium.org
, Jan 20 2017Status: Assigned (was: Untriaged)