New issue
Advanced search Search tips

Issue 683068 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in v8::internal::MemoryChunk::heap

Project Member Reported by ClusterFuzz, Jan 20 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5151228154871808

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000038
Crash State:
  v8::internal::MemoryChunk::heap
  v8::internal::Map::IsBooleanMap
  v8::internal::compiler::CanInlinePropertyAccess
  
Sanitizer: address (ASAN)

Regressed: V8: 42516:42517

Minimized Testcase (0.19 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94g3Gv2ktHc68lpwSmMQm2Zz6eIKd1KiKvBFe_GRzE8HJtkoZ8yveKka53-8PvF_aQTaVfsdaKsBxTVXtcZLZF9HCTmUF0QXoGD4bXE_-xQF7Sp0YF5asuV7JDPO6aaCcrFRofELEYiDFqpNgfKg5Poj5kvlBV7Yjt6DGr6vNCQkQKFzt-gvdG4Q5OteyHOowWVvKxbIX22aHcT7D7WzNAVklhyM9jG6R50rK-OYG-DzEYUFU3y3ydVuE7mxPBdCqC8cSsmVResEFTH9qfJVaRpQcji5KYot7GntEHgBQvxJSQrYVIL1L6SNL6JAL1z4_vFofiZBrYCUF5mjHcEhq01nZC1Vk_dcxz1DWtWjP5ZwM4Pd8s?testcase_id=5151228154871808
function __f_2() {
  class __v_0 { static foo() { return one + 6; } }
}
for (var __v_7 = 0; __v_7 < 5; ++__v_7) __f_2();
%OptimizeFunctionOnNextCall(__f_2);
gc();
__f_2();
function __f_4() {
}


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Owner: mvstan...@chromium.org
Status: Assigned (was: Untriaged)
@mvstanton, another one.
Owner: jochen@chromium.org
HI Jochen, here is one of the new clusterfuzz bugs...
Owner: jgruber@chromium.org
Hi Jakob, this failure reproduces reliably with your CL 
https://codereview.chromium.org/2630233003

As you work to reland it, just run these as well to make sure.
You don't need asan, btw.

Cc: mvstan...@chromium.org
 Issue 682683  has been merged into this issue.
 Issue 682682  has been merged into this issue.
Micheal, not sure if you meant that this issue is caused by my CL? I can also reproduce on its predecessor CL, bisecting now.
Cc: -mvstan...@chromium.org jgruber@chromium.org
Owner: mvstan...@chromium.org
Local bisect results:

55feaaea4c83bf72a409bb1ebde5b86c979d4d1c is the first bad commit
commit 55feaaea4c83bf72a409bb1ebde5b86c979d4d1c
Author: mvstanton <mvstanton@chromium.org>
Date:   Thu Jan 19 09:12:28 2017 -0800

    Revert [TypeFeedbackVector] Root literal arrays in function literal slots
Project Member

Comment 8 by ClusterFuzz, Jan 21 2017

ClusterFuzz has detected this issue as fixed in range 42547:42548.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5151228154871808

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000038
Crash State:
  v8::internal::MemoryChunk::heap
  v8::internal::Map::IsBooleanMap
  v8::internal::compiler::CanInlinePropertyAccess
  
Sanitizer: address (ASAN)

Regressed: V8: 42516:42517
Fixed: V8: 42547:42548

Minimized Testcase (0.19 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94g3Gv2ktHc68lpwSmMQm2Zz6eIKd1KiKvBFe_GRzE8HJtkoZ8yveKka53-8PvF_aQTaVfsdaKsBxTVXtcZLZF9HCTmUF0QXoGD4bXE_-xQF7Sp0YF5asuV7JDPO6aaCcrFRofELEYiDFqpNgfKg5Poj5kvlBV7Yjt6DGr6vNCQkQKFzt-gvdG4Q5OteyHOowWVvKxbIX22aHcT7D7WzNAVklhyM9jG6R50rK-OYG-DzEYUFU3y3ydVuE7mxPBdCqC8cSsmVResEFTH9qfJVaRpQcji5KYot7GntEHgBQvxJSQrYVIL1L6SNL6JAL1z4_vFofiZBrYCUF5mjHcEhq01nZC1Vk_dcxz1DWtWjP5ZwM4Pd8s?testcase_id=5151228154871808
function __f_2() {
  class __v_0 { static foo() { return one + 6; } }
}
for (var __v_7 = 0; __v_7 < 5; ++__v_7) __f_2();
%OptimizeFunctionOnNextCall(__f_2);
gc();
__f_2();
function __f_4() {
}


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Jan 21 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4728001540653056 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Okay, sorry, there were 2 other bugs tagged to your CL and I guess I incorrectly triaged this one. 
No worries :)

Sign in to add a comment