New issue
Advanced search Search tips

Issue 693500 link

Starred by 1 user
Status: Fixed
Owner:
jgruber@chromium.org
Closed: Feb 2017
Cc:
yangguo@chromium.org
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in v8::internal::Accessors::ErrorStackGetter

Project Member Reported by ClusterFuzz, Feb 17 2017

Comment 1 by mstarzinger@chromium.org, Feb 20 2017

Cc: yangguo@chromium.org jgruber@chromium.org
Simplified one-line repro:

Reflect.get(new Error(), "stack", 0);

Comment 2 by mstarzinger@chromium.org, Feb 20 2017

Cc: -jgruber@chromium.org mstarzinger@chromium.org
Owner: jgruber@chromium.org
Status: Assigned (was: Untriaged)
Jakob agreed to take a look. Thanks!

Comment 3 by jgruber@chromium.org, Feb 20 2017 

This one is subtle.. ErrorStackGetter gets the receiver and calls Utils::OpenHandle on it [0].

info.This() returns a Local<Object>, which makes the compiler select the OpenHandle<JSReceiver> overload - and that fails for a Smi receiver.

Got a CL in flight.

https://cs.chromium.org/chromium/src/v8/src/accessors.cc?q=accessors.+package:%5Echromium$&l=1205

Comment 4 by jgruber@chromium.org, Feb 20 2017

Labels: Merge-Request-57
Status: Fixed (was: Assigned)
Project Member

Comment 5 by bugdroid1@chromium.org, Feb 20 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/3acc00a0176af5d36f251cd993f49e5db938553f

commit 3acc00a0176af5d36f251cd993f49e5db938553f
Author: jgruber <jgruber@chromium.org>
Date: Mon Feb 20 11:48:10 2017

[regexp] Fix smi receiver in stack accessors

info.This returns a Local<Object>, which results in a call to
Utils::OpenHandle<JSReceiver>.  Casting to a Local<Value> first uses the
correct OpenHandle<Object> overload.

BUG= chromium:693500 

Review-Url: https://codereview.chromium.org/2706833002
Cr-Commit-Position: refs/heads/master@{#43314}

[modify] https://crrev.com/3acc00a0176af5d36f251cd993f49e5db938553f/src/accessors.cc
[add] https://crrev.com/3acc00a0176af5d36f251cd993f49e5db938553f/test/mjsunit/regress/regress-693500.js
Project Member

Comment 6 by sheriffbot@chromium.org, Feb 21 2017

Labels: -Merge-Request-57 Hotlist-Merge-Approved Merge-Approved-57
Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by bugdroid1@chromium.org, Feb 21 2017

Labels: merge-merged-5.7
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4631a23092dd903421e770fd8442e051c73cec6b

commit 4631a23092dd903421e770fd8442e051c73cec6b
Author: jgruber <jgruber@chromium.org>
Date: Tue Feb 21 14:53:20 2017

Merged: [regexp] Fix smi receiver in stack accessors

Revision: 3acc00a0176af5d36f251cd993f49e5db938553f

BUG= chromium:693500 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2707933003 .
Cr-Commit-Position: refs/branch-heads/5.7@{#124}
Cr-Branched-From: 975e9a320b6eaf9f12280c35df98e013beb8f041-refs/heads/5.7.492@{#1}
Cr-Branched-From: 8d76f0e3465a84bbf0bceab114900fbe75844e1f-refs/heads/master@{#42426}

[modify] https://crrev.com/4631a23092dd903421e770fd8442e051c73cec6b/src/accessors.cc
[add] https://crrev.com/4631a23092dd903421e770fd8442e051c73cec6b/test/mjsunit/regress/regress-693500.js

Comment 8 by jgruber@chromium.org, Feb 21 2017

Labels: -Merge-Approved-57

Sign in to add a comment