Issue metadata
Sign in to add a comment
|
CHECK failure: !map->is_deprecated() in compilation-dependencies.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4852572602236928 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !map->is_deprecated() in compilation-dependencies.cc v8::internal::CompilationDependencies::AssumeMapNotDeprecated v8::internal::compiler::AccessInfoFactory::LookupTransition Sanitizer: address (ASAN) Regressed: V8: 43683:43684 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4852572602236928 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 25 2017
,
May 25 2017
,
May 26 2017
,
May 26 2017
We are trying to search transitions in a deprecated receiver map and are surprised that the transition map is also deprecated. We should probably try to update the receiver map first.
,
Jun 5 2017
,
Jun 6 2017
I'm not sure of the severity on this one. Should this be marked as a security bug? If so, what's the impact of it.
,
Jun 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/468446d5fc24148086097aac0ed166c02da56416 commit 468446d5fc24148086097aac0ed166c02da56416 Author: bmeurer <bmeurer@chromium.org> Date: Tue Jun 06 12:10:40 2017 [turbofan] Try to update deprecated maps first. When optimizing stores to data properties in literals, we need to first migrate deprecated maps before we lookup the property access infos for those. BUG= chromium:724608 R=jarin@chromium.org Review-Url: https://codereview.chromium.org/2930433003 Cr-Commit-Position: refs/heads/master@{#45727} [modify] https://crrev.com/468446d5fc24148086097aac0ed166c02da56416/src/compiler/js-native-context-specialization.cc [add] https://crrev.com/468446d5fc24148086097aac0ed166c02da56416/test/mjsunit/regress/regress-crbug-724608.js
,
Jun 6 2017
,
Jun 6 2017
,
Jun 7 2017
ClusterFuzz has detected this issue as fixed in range 45726:45727. Detailed report: https://clusterfuzz.com/testcase?key=4852572602236928 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !map->is_deprecated() in compilation-dependencies.cc v8::internal::CompilationDependencies::AssumeMapNotDeprecated v8::internal::compiler::AccessInfoFactory::LookupTransition Sanitizer: address (ASAN) Regressed: V8: 43683:43684 Fixed: V8: 45726:45727 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4852572602236928 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 12 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by och...@chromium.org
, May 24 2017