CHECK failure: !map->is_stable() in access-info.cc |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5470350430437376 Fuzzer: mbarbella_js_mutation Job Type: linux_cfi_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !map->is_stable() in access-info.cc Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=472116:472196 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5470350430437376 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 17 2017
,
May 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/ea55b873f2ed8336604540a532cbd460eeb66430 commit ea55b873f2ed8336604540a532cbd460eeb66430 Author: Igor Sheludko <ishell@chromium.org> Date: Wed May 17 21:58:44 2017 [turbofan][crankshaft] Don't generate elements kind transitions from stable maps. IC system does its best to properly mark stable transition source maps as unstable (see https://chromium-review.googlesource.com/483442) however an already recorded map can be deprecated later and the optimizing compiler may try to generate an elements kind transition from the updated version of deprecated map which can "become" stable again. Bug: chromium:723455 Change-Id: Ic0c392f153587c3cd7c7623a3a6ea85ec72ad5bd Reviewed-on: https://chromium-review.googlesource.com/507887 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#45384} [modify] https://crrev.com/ea55b873f2ed8336604540a532cbd460eeb66430/src/compiler/access-info.cc [modify] https://crrev.com/ea55b873f2ed8336604540a532cbd460eeb66430/src/crankshaft/hydrogen.cc [add] https://crrev.com/ea55b873f2ed8336604540a532cbd460eeb66430/test/mjsunit/regress/regress-crbug-723455.js
,
May 17 2017
,
May 17 2017
Issue 723066 has been merged into this issue.
,
May 18 2017
ClusterFuzz has detected this issue as fixed in range 472196:472573. Detailed report: https://clusterfuzz.com/testcase?key=5470350430437376 Fuzzer: mbarbella_js_mutation Job Type: linux_cfi_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !map->is_stable() in access-info.cc Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=472116:472196 Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=472196:472573 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5470350430437376 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||
►
Sign in to add a comment |
||||
Comment 1 by clemensh@chromium.org
, May 17 2017Status: Assigned (was: Untriaged)
Reproduces in d8: __f_28(new Array(1)); function __f_28(a) { a.x = 0; a[0] = 0.1; a.x = {}; } __f_28(new Array(1)); __f_28(new Array()); %OptimizeFunctionOnNextCall(__f_28); __f_28(); Bisects to 0655ee8fa1864ae9b735d67828bcefa5633faf9e.