New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Encountered unaccounted use by #350 (Call) in escape-analysis.cc

Project Member Reported by ClusterFuzz, Jan 26 2017

Comment 1 by mummare...@chromium.org, Jan 27 2017

Labels: Test-Predator-Wrong M-58
Owner: tebbi@chromium.org
Status: Assigned (was: Untriaged)
Suspected CL is 
https://chromium.googlesource.com/v8/v8/+/e225251f256472562e1fc79feec2d7203b15e443%5E%21/src/compiler/escape-analysis.cc
tebbi@, could you please take a look?
Thank you

Comment 2 by mstarzinger@chromium.org, Jan 27 2017 

 Issue 685964  has been merged into this issue.

Comment 3 by mstarzinger@chromium.org, Jan 27 2017 

 Issue 685966  has been merged into this issue.

Comment 4 by tebbi@chromium.org, Jan 27 2017

Owner: bmeu...@chromium.org

Comment 5 by tebbi@chromium.org, Jan 27 2017 

Issue 685923 has been merged into this issue.

Comment 6 by tebbi@chromium.org, Jan 27 2017

Cc: cbruni@chromium.org tebbi@chromium.org bmeu...@chromium.org
 Issue v8:5900  has been merged into this issue.
Project Member

Comment 7 by ClusterFuzz, Jan 27 2017 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6035565410779136

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Encountered unaccounted use by #160 (Call) in escape-analysis.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 42694:42695

Minimized Testcase (0.35 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95w9kBejQg9Lt_C1x3rXtw5qmPi2S6QbgwT2cC79oN_8mwk4tuXZkfSREGcYNEkBIjHanGF5jCByPXsjj56eeRVNrGsCjz2ZVgZf-5vUwmKTLErp2TixdmOvML6wefiwaNpVbyn-Gu4s7XYCN4hgvR7ISQVHgqypA9Gl_3EwOZ_CLS9XowJ6nrSUanTCbvX1ctVh4b6ZcI--HY10JLjuW-Jv09jTWZ4sqK4X9qK039HSe2Oz_2NcgKbiwLGwNQKshPGVSY8Y7tKtTljDBLy5aIGYYFqbWXycKWArp1MNnJJfeaVqc_rWPoObcBtmVdB7DhuNXxsrMiBz9OlISqixjnulw8LAE8rAGgrRaMh1Gpbseze8WQ?testcase_id=6035565410779136
assertTrue = function assertTrue() {; };
function __f_0(func) {
  try {
    func(__v_0);
    assertUnreachable();
  } catch (e) {
    assertTrue(e.stack.indexOf("fromCharCode") >= 0);
  }
}
__f_0();
function __f_1() {; }
__f_0();
function __f_4() {
  try {
    o;
    __f_0(__f_1);
  } catch (e) {
    return e;
  }
}
%OptimizeFunctionOnNextCall(__f_4);
 __f_4();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 15 by ajha@chromium.org, Jan 27 2017

Labels: -Type-Bug ReleaseBlock-Dev OS-Mac OS-Windows Type-Bug-Regression
This is #1 renderer crash on the latest canary(58.0.2994.0- 271 crashes from 189 clients so far) of Mac. Crashes are seen on Windows canary(both Asan and Non Asan) as well which has been live for 2 hours. 

Marking this as Dev blocker for tracking purpose.

Link to the list of the OS with this crash:
============================================
https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8%3A%3Ainternal%3A%3Acompiler%3A%3AEscapeStatusAnalysis%3A%3ACheckUsesForEscape%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=

Comment 16 by bmeu...@chromium.org, Jan 27 2017

Status: Fixed (was: Assigned)
Typo in BUG line, but fixed with https://codereview.chromium.org/2657243002

Comment 17 by manoranj...@chromium.org, Jan 27 2017

Cc: gov...@chromium.org abdulsyed@chromium.org anan...@chromium.org
bmeurer@, Current canary is too much crashy with this change. I am planning to trigger a new canary, can you please merge the above fix (https://codereview.chromium.org/2657243002) to 2994 branch?

PS: You do not need to follow any 'Merge-Approval' process since 2994 is yet to be branched officially.

Thank you!

Comment 18 by manoranj...@chromium.org, Jan 27 2017

Labels: HasTestcase
I am experiencing this crash consistently on Latest Canary#58.0.2994.0 for Win7 64-bit OS.

Here are the repro steps:
==========================
1. Try login to americanexpress.com
2. The browser is getting crashed after providing your signing credentials

Observing similar crash with Gmail, Docs, Spreadsheets and so many internal URLs as well.

Thank you!

Comment 19 by mummare...@chromium.org, Jan 28 2017 

 Issue 686126  has been merged into this issue.

Comment 20 by mummare...@chromium.org, Jan 28 2017 

 Issue 686340  has been merged into this issue.

Comment 21 by mummare...@chromium.org, Jan 28 2017 

 Issue 686161  has been merged into this issue.

Comment 22 by mummare...@chromium.org, Jan 28 2017 

 Issue 686160  has been merged into this issue.

Comment 23 by mummare...@chromium.org, Jan 28 2017 

 Issue 686276  has been merged into this issue.

Comment 24 by mummare...@chromium.org, Jan 28 2017 

 Issue 686243  has been merged into this issue.

Comment 25 by mummare...@chromium.org, Jan 28 2017 

 Issue 686163  has been merged into this issue.

Comment 26 by mummare...@chromium.org, Jan 28 2017 

 Issue 686125  has been merged into this issue.

Comment 27 by mummare...@chromium.org, Jan 28 2017 

 Issue 686124  has been merged into this issue.

Comment 28 by mummare...@chromium.org, Jan 28 2017 

 Issue 686090  has been merged into this issue.

Comment 29 by mummare...@chromium.org, Jan 28 2017 

 Issue 686089  has been merged into this issue.

Comment 30 by mummare...@chromium.org, Jan 28 2017 

 Issue 686088  has been merged into this issue.

Comment 31 by mummare...@chromium.org, Jan 28 2017 

 Issue 686087  has been merged into this issue.

Comment 32 by mummare...@chromium.org, Jan 28 2017 

 Issue 686086  has been merged into this issue.

Comment 33 by mummare...@chromium.org, Jan 28 2017 

 Issue 686047  has been merged into this issue.
Project Member

Comment 34 by ClusterFuzz, Jan 28 2017 

ClusterFuzz has detected this issue as fixed in range 42735:42736.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6035565410779136

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Encountered unaccounted use by #160 (Call) in escape-analysis.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 42694:42695
Fixed: V8: 42735:42736

Minimized Testcase (0.35 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95w9kBejQg9Lt_C1x3rXtw5qmPi2S6QbgwT2cC79oN_8mwk4tuXZkfSREGcYNEkBIjHanGF5jCByPXsjj56eeRVNrGsCjz2ZVgZf-5vUwmKTLErp2TixdmOvML6wefiwaNpVbyn-Gu4s7XYCN4hgvR7ISQVHgqypA9Gl_3EwOZ_CLS9XowJ6nrSUanTCbvX1ctVh4b6ZcI--HY10JLjuW-Jv09jTWZ4sqK4X9qK039HSe2Oz_2NcgKbiwLGwNQKshPGVSY8Y7tKtTljDBLy5aIGYYFqbWXycKWArp1MNnJJfeaVqc_rWPoObcBtmVdB7DhuNXxsrMiBz9OlISqixjnulw8LAE8rAGgrRaMh1Gpbseze8WQ?testcase_id=6035565410779136
assertTrue = function assertTrue() {; };
function __f_0(func) {
  try {
    func(__v_0);
    assertUnreachable();
  } catch (e) {
    assertTrue(e.stack.indexOf("fromCharCode") >= 0);
  }
}
__f_0();
function __f_1() {; }
__f_0();
function __f_4() {
  try {
    o;
    __f_0(__f_1);
  } catch (e) {
    return e;
  }
}
%OptimizeFunctionOnNextCall(__f_4);
 __f_4();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 35 by ClusterFuzz, Jan 28 2017 

ClusterFuzz has detected this issue as fixed in range 42735:42736.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5283810708291584

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Encountered unaccounted use by #359 (Call) in escape-analysis.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 42694:42695
Fixed: V8: 42735:42736

Minimized Testcase (5.14 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ybkWSnKErcntazPexKP9OwvxsNKctlVzlIDlXAlXLNnbnM5z3DXRtj5qb6QmpHZW9LLnYsVHBoyUCJGPc7XqZ2NItp0fpREnRliQbSksICHT1bgzsb1Kp1gue0QX4cUvoaLAra0zU2g1_R6V9yuDcGS3A6KdoM188JNumDv_LfHlO-3y-n_v12JGRFwkGNau7GLNl4uOZZD5GD64UQkShjAYSfjujkSMTA-t5_wc6hG2Mfh0XUHW_XfrtUY9CQt1Oc22egpVpHJEmCNQH3s-vRFSP-50YJ1EMK9_D0rGNFxWdK1DgRJwgBfIwjZ0jByDmWtN5h-3KQMW6mPLJYEIkVjKbuFd84gTmn1XVKMB5DbLvpFw?testcase_id=5283810708291584

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 36 by ClusterFuzz, Jan 28 2017 

ClusterFuzz has detected this issue as fixed in range 42735:42736.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6540120686854144

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Encountered unaccounted use by #119 (Call) in escape-analysis.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 42694:42695
Fixed: V8: 42735:42736

Minimized Testcase (5.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9483ThMLdNHEOdZiWTwn6c_-d8qE2q9AMYz8Y60CnsW1cgNdrCU47EcN2O6B7Slec2AMQzEPgApszK5B5myAcewyZorNDQ8G19Bxx65ImC47YkZdsBSnJijtJHGn-hUvSHVXr4BbscBcXf7eFoFDh8uGfj1AsX0LB6WkI7OyWgBuweR-gtnKRYfum9cXNsIO0nO1nXJNyV1FV-FxdZn_AyHRyV1fRLDLFIG395J_BBSKemGgnIIU32WolneC5J0gizmMuvfeODPXmckj6rEF9rCNWi46V2uiIayjCNF297PrHPagnXOmlgYKCYJmaNKl-xNq_I6SMy4zcK9-3-QA1GF3bRj-RxnkUpLLVEqiY-pnDHuqf8?testcase_id=6540120686854144

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 37 by ClusterFuzz, Jan 28 2017 

ClusterFuzz has detected this issue as fixed in range 42735:42736.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5503504191062016

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Encountered unaccounted use by #150 (Call) in escape-analysis.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 42694:42695
Fixed: V8: 42735:42736

Minimized Testcase (6.99 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97uw9QNmCHljrgqSCVgYZEc0Timu5QI-3KDbstwpC16u6ckltBlID97xHNBXbsz5dpsBmbZcjuo7yl3zArLab8hR54mGK6x3KUgeAxhwN1VuAXKZWRFonCevXXXQWmBaeO1-0ggwxycCUVzpQofIeQqmI-aUsV2RuS68Q7-_Z6huu35eZ2NQzdUf7c5JQLqbVGtD9d5Ff7rbOG13jIygQMbETdbDT1eTCOh-z_e1qnmgFPIGyKInbmDmPiQda1KP_vjNmrs2jLaaf6NPCO6h1qMAt4ABnP4x2lBvk6B6w8x_HqY3sNTMU2OUkCJxb1ddshpks1n6daRkMwRa6tuq9n-FfQ8ToJNjrg7JkXifMWK1dgO--A?testcase_id=5503504191062016

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 38 by ClusterFuzz, Jan 28 2017 

ClusterFuzz has detected this issue as fixed in range 42735:42736.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5191612792832000

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_turbo_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Encountered unaccounted use by #350 (Call) in escape-analysis.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 42694:42695
Fixed: V8: 42735:42736

Minimized Testcase (8.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94A1ttK_eJ9Z7OSzTFXpOe4lB2dkBR5c6M1iuFEVPkqnFxPzT8q_zPEBL1I9JdCbfcrQMgxOuJaJiSe-aTKK3LEHd2rGI6xsZLWnM1CxMAQNxgCJY2eXAvSZPZ2Ws01BRe-TkiEmGKytJa_aNHzOEt-cieNwkNg_OjRyoPk4rwXej1vgkzRnE1ixz3TQM9_hAcunnovO_NSfXISHTek7JvY6kp42I1b16He5TGMOPb5hlt_n5aGkqLSHuP9pdFTFpe4yrsQ48goKqNbkyojzkKkXTjCLKPG7l6Wl-DCDzMeOEqF-OGHHZpWzc3b-W0xOA55vWehFEWflk7o4VqQtvCQ8qRD81y9q1vGUB0tOdQBsABkong?testcase_id=5191612792832000

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 39 by ClusterFuzz, Jan 28 2017 

ClusterFuzz has detected this issue as fixed in range 42735:42736.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6137562294124544

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Encountered unaccounted use by #112 (Call) in escape-analysis.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 42694:42695
Fixed: V8: 42735:42736

Minimized Testcase (6.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95qL8T0t6gf6vTH8xNQm5o7LRppq48InwpEVQ3zgS3KQgrAvYQg3fSdicwolDvm3cHEpy_Iq6AVqEKLskGqLG82fmKt1TbDy7k0Euk9Vex3DtZVt2Xlr4HktRGYtfQRYcbWBcWv5VjH4k4THpUG1fZ8R7dNuhaZVgCB54bHStS5BMkYwbMMPk1qugnCydOb8CKVbpuvEY9YFDgay0OX4D7BjuivKr37qvUkKaKUg5snVoPpcD0dT4R-PvDzwU03vV5ZZt1vnWE2c7epMxOiwcdheFd0UPmkATjSCd_l3mRljzPNbkGZ4l2L1WQdg2HZovUo25CNHzpzqvnQXgdi_jrJc6i9xooIlpr41espv35Dr3jOFNo?testcase_id=6137562294124544

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 40 by ClusterFuzz, Jan 28 2017 

ClusterFuzz has detected this issue as fixed in range 42735:42736.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5570147319545856

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Encountered unaccounted use by #364 (Call) in escape-analysis.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 42694:42695
Fixed: V8: 42735:42736

Minimized Testcase (8.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95SD8r4JqUfeVwT8GD8RqOtXo0Kupr09LRhs5tSdk4k-rrubm_VZTC1o3H1CTvmkFNtBQXZwVl-LHR3IA2czW9Ppi0LaUjFbbx4ded9X_KtAnqy97qi8X7mCZvpfz_wtBn8624FhDMzKZCXUDvCtuitG5TwOnV-zKQ6tXMhP3-Lrsfoejlrnc0oyzth7bqxhj3rY4TtVBVQ1MOUBgNTYR9eXbQICY1Vd9C_XAsT_5BOcLkDV2dJiGqhFQZBRAwvReqBnsqUb2H_soxoxw2LiG8JVqMHJg3iAJMecwQCGOs7kvAjHTmRN492aOsamDYmiKAZMZB7MWsFWZnHDaT63cKb_BxIn59yPxDloQoaMCJNiY1KNE0?testcase_id=5570147319545856

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 41 by ClusterFuzz, Jan 28 2017 

ClusterFuzz has detected this issue as fixed in range 42735:42736.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6274585575292928

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Encountered unaccounted use by #360 (Call) in escape-analysis.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 42694:42695
Fixed: V8: 42735:42736

Minimized Testcase (8.55 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Ri6p4xq0w89phh9PuqM1Pdnwq_oICw_nYUV6em_auRZzemwJ5Vb4xGzY5zsjNGAEpMrC0Vo4ChY_yUiiSexqYMPREBpbtPzuIUFozuhBiyRa8rfG2ysABCDWNuhX0RmYYAizjwgVnLWTfI3mYhU5Bin8LhU2Is3J-Op1w_klCl7ki4mx9C4iSPllffzeTg5fetY5kNaPG8DNoouErVh_3PXZz4qun1y9fOmxR9DRWtpTG4t4bpYTtCYySYIythJ-5dclxLtoXpvZSL0wmz7nPjEB-hALMaMcLwqJ6QsxmaU309dYO-7-nBUnTdxNlh2Ze34hKzZGKU6DSJGsgIiyJCjO8KiY7LCkxn-XxJ0vspAIbZPk?testcase_id=6274585575292928

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 42 by ClusterFuzz, Jan 28 2017 

ClusterFuzz has detected this issue as fixed in range 42735:42736.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5931331654778880

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Encountered unaccounted use by #320 (Call) in escape-analysis.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 42694:42695
Fixed: V8: 42735:42736

Minimized Testcase (7.88 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94dfIpWyrix3uD1A68lDACLW8JKMyJLKnAcN1bcJzz1gxiAHc_mgcZjSNa-li-22qrdH32QxOGBt33CD8YkmPULQwCj5OF7odK4xOYn67EkuleRVLJN60Osp3TP_TxluWCfYqpkRji_fyrqxXOwOJts8B_bYYP90o7brThNY7vofSPdKpzRppCoAD8Gfsb9NqeozO-LbJKE9tIGbQiZw6f-GtHqKQPsPRXWMXURLTJ4IyrbSOg7MRKOMr99zdmWMGpxz7_n6aBtxXPG6gUsRuW664J30_wOYkSoluNT10la4CkDjeJu0V3cXd_AVU5ENB-UGRk-z3N6ncNsrdWCIoIV2q2XZTlZr67vFhQMAIHMXlwEwBU?testcase_id=5931331654778880

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 43 by rsgav...@chromium.org, Jan 30 2017 

Issue 686570 has been merged into this issue.

Comment 44 by rsgav...@chromium.org, Jan 30 2017 

Issue 686508 has been merged into this issue.

Comment 45 by wfh@chromium.org, Jan 30 2017 

Can some analysis be done on how this crash was able to slip into Canary?

Comment 46 by tebbi@chromium.org, Jan 30 2017 

Issue 684481 has been merged into this issue.

Comment 47 by ajha@chromium.org, Jan 30 2017

Cc: durga.behera@chromium.org pucchakayala@chromium.org songsuk@chromium.org ajha@chromium.org kavvaru@chromium.org brajkumar@chromium.org
 Issue 686641  has been merged into this issue.

Comment 48 by tebbi@chromium.org, Jan 31 2017 

 Issue 686277  has been merged into this issue.

Comment 49 by tebbi@chromium.org, Jan 31 2017 

Issue 685913 has been merged into this issue.

Comment 50 by hablich@chromium.org, Jan 31 2017

Cc: k...@luminance.org hablich@chromium.org
 Issue 686766  has been merged into this issue.

Comment 51 by tebbi@chromium.org, Jan 31 2017 

Issue 685983 has been merged into this issue.

Comment 52 by tebbi@chromium.org, Jan 31 2017

Cc: nednguyen@chromium.org jarin@chromium.org perezju@chromium.org
 Issue 685967  has been merged into this issue.

Sign in to add a comment