Issue metadata
Sign in to add a comment
|
|
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5858264175869952 Fuzzer: inferno_js_fuzzer_c Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: Ill Crash Address: 0x7ff6a46242e8 Crash State: v8::internal::TranslatedState::MaterializeCapturedObjectAt v8::internal::TranslatedState::MaterializeAt MaterializeObjectAt Sanitizer: address (ASAN) Regressed: V8: 45514:45515 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5858264175869952 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. , Jun 11 2017Issue 732156 has been merged into this issue. , Jun 12 2017
Underlying reason is missing materialization of escape analysed JS_GENERATOR_OBJECT_TYPE instance type objects. Jaro is OOO today, I might take a look. The following is a reduced repro ...
function* f([x]) {}
%OptimizeFunctionOnNextCall(f);
f();
, Jun 12 2017
, Jun 12 2017
, Jun 12 2017Project MemberThe following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f555a6922dd1b425ed845370cd01428b3ba46f93 commit f555a6922dd1b425ed845370cd01428b3ba46f93 Author: Michael Starzinger <mstarzinger@chromium.org> Date: Mon Jun 12 11:30:22 2017 [deoptimizer] Add support for materializing Generator objects. This adds support for materializing objects of {JSGeneratorObject} type during deoptimization. Cases where soft-deopts remove any escaping use of the implicit generator object can cause it to be escape analyzed. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-732169 BUG= chromium:732169 Change-Id: I2ec10b2a509a4f37a456a8ca2fd74b8de2fb55be Reviewed-on: https://chromium-review.googlesource.com/530847 Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#45849} [modify] https://crrev.com/f555a6922dd1b425ed845370cd01428b3ba46f93/src/deoptimizer.cc [add] https://crrev.com/f555a6922dd1b425ed845370cd01428b3ba46f93/test/mjsunit/regress/regress-crbug-732169.js , Jun 12 2017Project Member
, Jun 12 2017Project Member
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot , Jun 12 2017Project Member
, Jun 12 2017Project MemberDetailed report: https://clusterfuzz.com/testcase?key=6387498266918912 Fuzzer: inferno_js_fuzzer_c Job Type: windows_asan_d8 Platform Id: windows Crash Type: Fatal error Crash Address: Crash State: v8::platform::PrintStackTrace v8::internal::TranslatedState::MaterializeCapturedObjectAt v8::internal::TranslatedState::MaterializeAt Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6387498266918912 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. , Jun 12 2017Project Member
, Jun 12 2017Project MemberThe following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b17dee636f5137713bec30972d5653dcec6873b8 commit b17dee636f5137713bec30972d5653dcec6873b8 Author: Michael Starzinger <mstarzinger@chromium.org> Date: Mon Jun 12 16:27:10 2017 [deoptimizer] Handle Generator object in-object properties. This adds missing support for in-object properties within objects having the {JSGeneratorObject} type to materialization during deoptimization. For corner-cases where the implicit generator object is statically known not to escape, object layout might still be arbitrarily complex. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-732169 BUG= chromium:732169 , v8:6481 Change-Id: I32f373913d60af64981dc4ed66873cc8a1dbe872 Reviewed-on: https://chromium-review.googlesource.com/530230 Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#45870} [modify] https://crrev.com/b17dee636f5137713bec30972d5653dcec6873b8/src/deoptimizer.cc [modify] https://crrev.com/b17dee636f5137713bec30972d5653dcec6873b8/test/mjsunit/regress/regress-crbug-732169.js , Jun 13 2017
, Jun 13 2017Project MemberClusterFuzz has detected this issue as fixed in range 45848:45849. Detailed report: https://clusterfuzz.com/testcase?key=5858264175869952 Fuzzer: inferno_js_fuzzer_c Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: Ill Crash Address: 0x7ff6a46242e8 Crash State: v8::internal::TranslatedState::MaterializeCapturedObjectAt v8::internal::TranslatedState::MaterializeAt MaterializeObjectAt Sanitizer: address (ASAN) Regressed: V8: 45514:45515 Fixed: V8: 45848:45849 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5858264175869952 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. , Jun 13 2017
, Jun 13 2017Project Member
, Jun 21 2017
, Sep 19 2017Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by clemensh@chromium.org, Jun 11 2017
Owner: jarin@chromium.org
Status: Assigned (was: Untriaged)