Detailed report: https://clusterfuzz.com/testcase?key=5413944442486784 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_chrome Platform Id: mac Crash Type: CHECK failure Crash Address: Crash State: !field_type->NowStable() || field_type->NowContains(value) || (!FLAG_use_allocat Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=397237:397239 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96ULgKbXdIhWbKKExYGJ-iMqFOC4GhUkJpnz8IOjI8dcGnD8pnHbqUq_21OeqyqKGbf1Dw_MKh9fBiaUpfMhrFHKqamUgBm7pzrNb-3odWmVp0Om2ZjpRtLg88fQYVVcfvIMOWRLAkZBHiZZq39DiJ4Q4J55u6XF71cRZueFe6VeZ6xNVnShaLbxjAx6STYYwU5qnIul7VkDek8QFVTt4N1w0MqH1yzPHpKWuWPhrntBxwP5BCYyd2dRPUvBAJKGy-zRhVMk2Ej1CKACZGkb6hb9l-AAYeVoi_hbtTA0Em_gJx_lsFRlFN7BErBqoVmLHWRkfw3JYTFOPeqqxFgX6N8SKjN65hUN16770yfpiFJ1zZa3dc?testcase_id=5413944442486784 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/2d856544e5e3cb8abf99a30749b4bfe39c29886a commit 2d856544e5e3cb8abf99a30749b4bfe39c29886a Author: Igor Sheludko <ishell@chromium.org> Date: Fri Apr 21 15:14:26 2017 [ic] Fix handling of elements kind transitions in polymorphic keyed ICs. Ensure source map is not stable if elements kind transitions are expected. BUG= chromium:700733 Change-Id: Ie937e7064127250b1100109986c3e9b411fae1d6 Reviewed-on: https://chromium-review.googlesource.com/483442 Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#44780} [modify] https://crrev.com/2d856544e5e3cb8abf99a30749b4bfe39c29886a/src/compiler/access-info.cc [modify] https://crrev.com/2d856544e5e3cb8abf99a30749b4bfe39c29886a/src/crankshaft/hydrogen.cc [modify] https://crrev.com/2d856544e5e3cb8abf99a30749b4bfe39c29886a/src/ic/handler-compiler.cc [modify] https://crrev.com/2d856544e5e3cb8abf99a30749b4bfe39c29886a/src/ic/handler-compiler.h [modify] https://crrev.com/2d856544e5e3cb8abf99a30749b4bfe39c29886a/src/ic/ic.cc [modify] https://crrev.com/2d856544e5e3cb8abf99a30749b4bfe39c29886a/src/ic/ic.h [add] https://crrev.com/2d856544e5e3cb8abf99a30749b4bfe39c29886a/test/mjsunit/regress/regress-crbug-700733.js
ClusterFuzz has detected this issue as fixed in range 466396:466429. Detailed report: https://clusterfuzz.com/testcase?key=5413944442486784 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_chrome Platform Id: mac Crash Type: CHECK failure Crash Address: Crash State: !field_type->NowStable() || field_type->NowContains(value) || (!FLAG_use_allocat Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=397237:397239 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=466396:466429 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5413944442486784 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by mummare...@chromium.org
, Mar 14 2017Labels: Test-Predator-Wrong M-59