STANDARD_STORE == store_mode in js-native-context-specialization.cc |
||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6733897028337664 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_turbo_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: STANDARD_STORE == store_mode in js-native-context-specialization.cc Sanitizer: address (ASAN) Regressed: V8: 39438:39439 Minimized Testcase (10.67 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95EPajRQ-gjE-RHDxbSJCzsfqxFQtIH5vVFfHcOx_hJLowyPSxFEdXP4iXbgGAdeRTDOUqLAsVrZCnVVpW0BgX41Hhq9WcDCgwEZVYhdYbB_KeJwDXfpPLgrYvCxsmkGaZf0tYLxkIxH0Z50c61fYTS-MOi7F0vnynSUtvftvgrRGxmpzslNZgAKON6h2vO6trvitT_pXZ0KGE0JHFHch7Yjz_Up1SbP470DkWdYKTfyvqM86JqJe9mZ2Jo-X3aMuF1Czf2gH8SYtdxEtrAKCJB6tIAzb1Bt9OD6dhm5PfEWbbpQGc1KJeyTjjiHQEVdaDH9dtm6CUVE46n1cxdYOOpqpRK2wQK8uvcGTho4FbFDGZWVuM?testcase_id=6733897028337664 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/64eae6eff294670c4503d9a95fbe164e34edcdf1 commit 64eae6eff294670c4503d9a95fbe164e34edcdf1 Author: bmeurer <bmeurer@chromium.org> Date: Tue Jan 31 09:00:55 2017 [turbofan] Remove over-restrictive DCHECKs. The KeyedStoreMode that we get out of the FeedbackNexus doesn't necessarily need to apply when we have "static knowledge" about the receiver, i.e. when the receiver is a known JSTypedArray, but the KEYED_STORE_IC has seen only JSArray instances so far. The DCHECK was too restrictive in this case, since we can just ignore the KEYED_STORE_IC mode (like we ignore the maps). BUG= chromium:685050 R=ishell@chromium.org Review-Url: https://codereview.chromium.org/2668643002 Cr-Commit-Position: refs/heads/master@{#42810} [modify] https://crrev.com/64eae6eff294670c4503d9a95fbe164e34edcdf1/src/compiler/js-native-context-specialization.cc [add] https://crrev.com/64eae6eff294670c4503d9a95fbe164e34edcdf1/test/mjsunit/regress/regress-crbug-685050.js
,
Jan 31 2017
|
||
►
Sign in to add a comment |
||
Comment 1 by mstarzinger@chromium.org
, Jan 30 2017Components: -Blink>JavaScript Blink>JavaScript>Compiler
Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)
The {STORE_NO_TRANSITION_HANDLE_COW} case is unhandled when lowering element stores. Simplified repro ... // Copyright 2017 the V8 project authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // Flags: --allow-natives-syntax function f(a) { a[0] = 0; a[1] = 0; } var a = new Int32Array(2); for (var i = 0; i < 5; i++) { if (i == 2) %OptimizeOsr(); f([1, 2, 3]); } f(a);