CHECK failure: map()->unused_property_fields() == actual_unused_property_fields - JSObject::kFi |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4970354054529024 Fuzzer: inferno_layout_test_unmodified Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: map()->unused_property_fields() == actual_unused_property_fields - JSObject::kFi gin::PrintStackTrace v8::internal::JSObject::JSObjectVerify Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=466737:466789 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4970354054529024 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 25 2017
,
Apr 26 2017
Bisects to 98acfb36e1acf2ab52ab6b6439eb6356c83dcda6. Reproduces in d8 as well, just --verify-heap is required.
,
May 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6cb995b936d63ce651273ff420d3dbf80ff71f13 commit 6cb995b936d63ce651273ff420d3dbf80ff71f13 Author: jkummerow <jkummerow@chromium.org> Date: Wed May 03 15:50:50 2017 Move delete-last-fast-property code from CSA to C++ When deleting the most recently added fast property from an object by undoing its last map transition, we must clear any recorded slots. This can only be done in C++, so this functionality must move out of the stub. Also update a CHECK in the JSObject verifier to allow backing stores sticking around after such property deletions. BUG= chromium:716912 , chromium:714981 Review-Url: https://codereview.chromium.org/2854373002 Cr-Commit-Position: refs/heads/master@{#45069} [modify] https://crrev.com/6cb995b936d63ce651273ff420d3dbf80ff71f13/src/builtins/builtins-internal-gen.cc [modify] https://crrev.com/6cb995b936d63ce651273ff420d3dbf80ff71f13/src/objects-debug.cc [modify] https://crrev.com/6cb995b936d63ce651273ff420d3dbf80ff71f13/src/runtime/runtime-object.cc [add] https://crrev.com/6cb995b936d63ce651273ff420d3dbf80ff71f13/test/mjsunit/regress/regress-crbug-714981.js [add] https://crrev.com/6cb995b936d63ce651273ff420d3dbf80ff71f13/test/mjsunit/regress/regress-crbug-716912.js
,
May 3 2017
,
May 4 2017
ClusterFuzz has detected this issue as fixed in range 469085:469194. Detailed report: https://clusterfuzz.com/testcase?key=4970354054529024 Fuzzer: inferno_layout_test_unmodified Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: map()->unused_property_fields() == actual_unused_property_fields - JSObject::kFi gin::PrintStackTrace v8::internal::JSObject::JSObjectVerify Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=466737:466789 Fixed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=469085:469194 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4970354054529024 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||
►
Sign in to add a comment |
||||
Comment 1 by msrchandra@chromium.org
, Apr 25 2017Labels: M-60 Test-Predator-Wrong