CHECK failure: !isolate->has_pending_exception() in compiler.cc |
||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5113204001996800 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !isolate->has_pending_exception() in compiler.cc GetLazyCode v8::internal::Compiler::Compile Sanitizer: address (ASAN) Regressed: V8: 45077:45078 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5113204001996800 Issue manually filed by: rossberg See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 9 2017
This is pretty closely related to issue v8:6297 . Here is a reduced repro: function Module(stdlib, foreign) { "use asm"; var x = foreign.x | 0; function f() {} return { f:f }; } var observer = {}; observer.__defineGetter__("x", function() { throw new Error(); }); Module({}, observer);
,
May 23 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/ea48d83d37543d671e99d9b9725311eff17e4951 commit ea48d83d37543d671e99d9b9725311eff17e4951 Author: Michael Starzinger <mstarzinger@chromium.org> Date: Tue May 23 10:42:43 2017 [asm.js] Ensure lookups of imports are non-observable. This makes sure that property lookups on the provided imports object are non-observable to JavaScript. It allows instantiation failures to fall back to JavaScript proper without accidentally calling accessors twice. Also accessors might invalidate previous checks done during linking or throw exceptions. R=clemensh@chromium.org TEST=mjsunit/regress/regress-crbug-719384 BUG= chromium:719384 Change-Id: I3db2672d2a496110f705d02b82878e70cd5d701f Reviewed-on: https://chromium-review.googlesource.com/509552 Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#45481} [modify] https://crrev.com/ea48d83d37543d671e99d9b9725311eff17e4951/src/asmjs/asm-js.cc [modify] https://crrev.com/ea48d83d37543d671e99d9b9725311eff17e4951/src/runtime/runtime-compiler.cc [modify] https://crrev.com/ea48d83d37543d671e99d9b9725311eff17e4951/src/wasm/wasm-module.cc [modify] https://crrev.com/ea48d83d37543d671e99d9b9725311eff17e4951/test/mjsunit/asm/global-imports.js [add] https://crrev.com/ea48d83d37543d671e99d9b9725311eff17e4951/test/mjsunit/regress/regress-crbug-719384.js [modify] https://crrev.com/ea48d83d37543d671e99d9b9725311eff17e4951/test/mjsunit/wasm/asm-wasm.js
,
May 23 2017
,
May 24 2017
ClusterFuzz has detected this issue as fixed in range 45480:45481. Detailed report: https://clusterfuzz.com/testcase?key=5113204001996800 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !isolate->has_pending_exception() in compiler.cc GetLazyCode v8::internal::Compiler::Compile Sanitizer: address (ASAN) Regressed: V8: 45077:45078 Fixed: V8: 45480:45481 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5113204001996800 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||
►
Sign in to add a comment |
||
Comment 1 by rossberg@chromium.org
, May 8 2017Status: Assigned (was: Untriaged)