Issue metadata
Sign in to add a comment
|
CHECK failure: map->IsMap() in spaces.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5266195308871680 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: map->IsMap() in spaces.cc v8::internal::NewSpace::Verify v8::internal::Heap::Verify Sanitizer: address (ASAN) Regressed: V8: 45199:45200 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5266195308871680 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 12 2017
Regression range and repro points to 5c66d6fcd44fd2bc206fc1be595adf996ce0a80b, but that one likely just flushed out the problem.
,
Jul 12 2017
Cleaned up repro, seems to be related with inline generator allocation and slack tracking ...
function* gen() {}
function warmup() {
var g = gen();
g.p = 42;
}
for (var i = 0; i < 100; ++i) { warmup() }
gc();
gen();
%OptimizeFunctionOnNextCall(gen);
gen();
,
Jul 12 2017
Nope, bug is actually in 5c66d6fcd44fd2bc206fc1be595adf996ce0a80b. Fix is in flight ...
,
Jul 12 2017
Issue 741580 has been merged into this issue.
,
Jul 12 2017
,
Jul 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/0a4ad44050c435e15b9f2fe93b12ba97c007b7fc commit 0a4ad44050c435e15b9f2fe93b12ba97c007b7fc Author: Michael Starzinger <mstarzinger@chromium.org> Date: Wed Jul 12 12:47:22 2017 [turbofan] Fix inline JSGeneratorObject allocation. This makes sure the inline allocation of generator objects only shrinks initial maps when slack tracking is actually in progress. Shrinking all unused properties unconditionally is bogus because instances using them might have become unreachable and collected by the GC. R=mvstanton@chromium.org TEST=mjsunit/regress/regress-crbug-741078 BUG= chromium:741078 Change-Id: Iaf2f08a4fa82c820a945bf012d24c760a6b4f514 Reviewed-on: https://chromium-review.googlesource.com/567982 Reviewed-by: Michael Stanton <mvstanton@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#46585} [modify] https://crrev.com/0a4ad44050c435e15b9f2fe93b12ba97c007b7fc/src/compiler/js-create-lowering.cc [add] https://crrev.com/0a4ad44050c435e15b9f2fe93b12ba97c007b7fc/test/mjsunit/regress/regress-crbug-741078.js
,
Jul 12 2017
,
Jul 12 2017
,
Jul 13 2017
ClusterFuzz has detected this issue as fixed in range 46584:46585. Detailed report: https://clusterfuzz.com/testcase?key=5266195308871680 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: map->IsMap() in spaces.cc v8::internal::NewSpace::Verify v8::internal::Heap::Verify Sanitizer: address (ASAN) Regressed: V8: 45199:45200 Fixed: V8: 46584:46585 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5266195308871680 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 18 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by aarya@google.com
, Jul 11 2017Status: Assigned (was: Untriaged)