Issue metadata
Sign in to add a comment
|
|
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5858264175869952 Fuzzer: inferno_js_fuzzer_c Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: Ill Crash Address: 0x7ff6a46242e8 Crash State: v8::internal::TranslatedState::MaterializeCapturedObjectAt v8::internal::TranslatedState::MaterializeAt MaterializeObjectAt Sanitizer: address (ASAN) Regressed: V8: 45514:45515 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5858264175869952 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. Jun 11 2017,Issue 732156 has been merged into this issue. Jun 12 2017,
Underlying reason is missing materialization of escape analysed JS_GENERATOR_OBJECT_TYPE instance type objects. Jaro is OOO today, I might take a look. The following is a reduced repro ... function* f([x]) {} %OptimizeFunctionOnNextCall(f); f(); Jun 12 2017,
Jun 12 2017,
Jun 12 2017, Project MemberThe following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f555a6922dd1b425ed845370cd01428b3ba46f93 commit f555a6922dd1b425ed845370cd01428b3ba46f93 Author: Michael Starzinger <mstarzinger@chromium.org> Date: Mon Jun 12 11:30:22 2017 [deoptimizer] Add support for materializing Generator objects. This adds support for materializing objects of {JSGeneratorObject} type during deoptimization. Cases where soft-deopts remove any escaping use of the implicit generator object can cause it to be escape analyzed. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-732169 BUG= chromium:732169 Change-Id: I2ec10b2a509a4f37a456a8ca2fd74b8de2fb55be Reviewed-on: https://chromium-review.googlesource.com/530847 Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#45849} [modify] https://crrev.com/f555a6922dd1b425ed845370cd01428b3ba46f93/src/deoptimizer.cc [add] https://crrev.com/f555a6922dd1b425ed845370cd01428b3ba46f93/test/mjsunit/regress/regress-crbug-732169.js Jun 12 2017, Project Member
Jun 12 2017, Project Member
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot Jun 12 2017, Project Member
Jun 12 2017, Project MemberDetailed report: https://clusterfuzz.com/testcase?key=6387498266918912 Fuzzer: inferno_js_fuzzer_c Job Type: windows_asan_d8 Platform Id: windows Crash Type: Fatal error Crash Address: Crash State: v8::platform::PrintStackTrace v8::internal::TranslatedState::MaterializeCapturedObjectAt v8::internal::TranslatedState::MaterializeAt Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6387498266918912 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. Jun 12 2017, Project Member
Jun 12 2017, Project MemberThe following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b17dee636f5137713bec30972d5653dcec6873b8 commit b17dee636f5137713bec30972d5653dcec6873b8 Author: Michael Starzinger <mstarzinger@chromium.org> Date: Mon Jun 12 16:27:10 2017 [deoptimizer] Handle Generator object in-object properties. This adds missing support for in-object properties within objects having the {JSGeneratorObject} type to materialization during deoptimization. For corner-cases where the implicit generator object is statically known not to escape, object layout might still be arbitrarily complex. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-732169 BUG= chromium:732169 , v8:6481 Change-Id: I32f373913d60af64981dc4ed66873cc8a1dbe872 Reviewed-on: https://chromium-review.googlesource.com/530230 Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#45870} [modify] https://crrev.com/b17dee636f5137713bec30972d5653dcec6873b8/src/deoptimizer.cc [modify] https://crrev.com/b17dee636f5137713bec30972d5653dcec6873b8/test/mjsunit/regress/regress-crbug-732169.js Jun 13 2017,
Jun 13 2017, Project MemberClusterFuzz has detected this issue as fixed in range 45848:45849. Detailed report: https://clusterfuzz.com/testcase?key=5858264175869952 Fuzzer: inferno_js_fuzzer_c Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: Ill Crash Address: 0x7ff6a46242e8 Crash State: v8::internal::TranslatedState::MaterializeCapturedObjectAt v8::internal::TranslatedState::MaterializeAt MaterializeObjectAt Sanitizer: address (ASAN) Regressed: V8: 45514:45515 Fixed: V8: 45848:45849 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5858264175869952 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. Jun 13 2017,
Jun 13 2017, Project Member
Jun 21 2017,
Sep 19 2017, Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
Comment 1 by clemensh@chromium.org, Jun 11 2017
Owner: jarin@chromium.org
Status: Assigned (was: Untriaged)