Issue 745844 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	ishell@chromium.org
Closed:	Jul 2017
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug-Security
Reproducible Stability-Memory-AddressSanitizer Security_Impact-Head Security_Severity-High allpublic Clusterfuzz NodeJS-Backport-Done merge-merged-6.0 merge-merged-6.1

CHECK failure: !field_type->NowStable() || field_type->NowContains(value) || (!FLAG_use_allocat

Project Member Reported by ClusterFuzz, Jul 18 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4675312465215488

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !field_type->NowStable() || field_type->NowContains(value) || (!FLAG_use_allocat
  v8::internal::JSObject::JSObjectVerify
  v8::internal::Object::AddDataProperty
  
Sanitizer: address (ASAN)

Regressed: V8: 44701:44702

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4675312465215488


Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by ishell@chromium.org, Jul 19 2017

Owner: ishell@chromium.org
Status: Assigned (was: Untriaged)

Project Member

Comment 2 by bugdroid1@chromium.org, Jul 19 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6e27386d68eb737b98d37cb32e14d6bea1fd62cd

commit 6e27386d68eb737b98d37cb32e14d6bea1fd62cd
Author: Igor Sheludko <ishell@chromium.org>
Date: Wed Jul 19 11:31:21 2017

Reland "[runtime] Add shortcuts for elements kinds transitions."

This is a reland of b90e83f5da40b214646327f8791834eeb5ddedd4
Original change's description:
> [runtime] Add shortcuts for elements kinds transitions.
>
> The shortcuts ensure that field type generalization is properly
> propagated in the transition graph.
>
> Bug:  chromium:738763 
> Change-Id: Id701a6f95ed6ea093c707fbe0bac228f1f856e9f
> Reviewed-on: https://chromium-review.googlesource.com/567992
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46622}

Bug:  chromium:738763 ,  chromium:742346 ,  chromium:742381 ,  chromium:745844 
Change-Id: I93974e3906b2c7710bd525f15037a2dd97f263ad
Reviewed-on: https://chromium-review.googlesource.com/575227
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46759}
[modify] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/src/heap-symbols.h
[modify] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/src/heap/mark-compact.cc
[modify] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/src/ic/ic.cc
[modify] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/src/map-updater.cc
[modify] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/src/objects-debug.cc
[modify] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/src/objects-inl.h
[modify] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/src/objects-printer.cc
[modify] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/src/objects.cc
[modify] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/src/objects.h
[modify] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/src/objects/map.h
[modify] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/src/transitions-inl.h
[modify] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/src/transitions.cc
[modify] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/src/transitions.h
[modify] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/test/cctest/test-field-type-tracking.cc
[add] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/test/mjsunit/regress/regress-crbug-738763.js
[add] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/test/mjsunit/regress/regress-crbug-742346.js
[add] https://crrev.com/6e27386d68eb737b98d37cb32e14d6bea1fd62cd/test/mjsunit/regress/regress-crbug-742381.js

Comment 3 by ishell@chromium.org, Jul 19 2017

Status: Fixed (was: Assigned)

Project Member

Comment 4 by sheriffbot@chromium.org, Jul 19 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Project Member

Comment 5 by ClusterFuzz, Jul 20 2017

ClusterFuzz has detected this issue as fixed in range 46758:46759.

Detailed report: https://clusterfuzz.com/testcase?key=4675312465215488

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !field_type->NowStable() || field_type->NowContains(value) || (!FLAG_use_allocat
  v8::internal::JSObject::JSObjectVerify
  v8::internal::Object::AddDataProperty
  
Sanitizer: address (ASAN)

Regressed: V8: 44701:44702
Fixed: V8: 46758:46759

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4675312465215488


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 6 by bugdroid1@chromium.org, Jul 24 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5520cae3fd599cb77b4b9c744b07548459655ee3

commit 5520cae3fd599cb77b4b9c744b07548459655ee3
Author: Igor Sheludko <ishell@chromium.org>
Date: Mon Jul 24 05:31:29 2017

Revert "Reland "[runtime] Add shortcuts for elements kinds transitions.""

This reverts commit 6e27386d68eb737b98d37cb32e14d6bea1fd62cd.

Reason for revert: There will be another much simpler and
back-mergeable fix.

Original change's description:
> Reland "[runtime] Add shortcuts for elements kinds transitions."
> 
> This is a reland of b90e83f5da40b214646327f8791834eeb5ddedd4
> Original change's description:
> > [runtime] Add shortcuts for elements kinds transitions.
> >
> > The shortcuts ensure that field type generalization is properly
> > propagated in the transition graph.
> >
> > Bug:  chromium:738763 
> > Change-Id: Id701a6f95ed6ea093c707fbe0bac228f1f856e9f
> > Reviewed-on: https://chromium-review.googlesource.com/567992
> > Commit-Queue: Igor Sheludko <ishell@chromium.org>
> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#46622}
> 
> Bug:  chromium:738763 ,  chromium:742346 ,  chromium:742381 ,  chromium:745844 
> Change-Id: I93974e3906b2c7710bd525f15037a2dd97f263ad
> Reviewed-on: https://chromium-review.googlesource.com/575227
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46759}

TBR=ulan@chromium.org,jkummerow@chromium.org,ishell@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  chromium:738763 ,  chromium:742346 ,  chromium:742381 ,  chromium:745844 
Change-Id: I203dc748c47db554e0a86d61f0e2b7b8b96f2370
Reviewed-on: https://chromium-review.googlesource.com/581547
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46826}
[modify] https://crrev.com/5520cae3fd599cb77b4b9c744b07548459655ee3/src/heap-symbols.h
[modify] https://crrev.com/5520cae3fd599cb77b4b9c744b07548459655ee3/src/heap/mark-compact.cc
[modify] https://crrev.com/5520cae3fd599cb77b4b9c744b07548459655ee3/src/ic/ic.cc
[modify] https://crrev.com/5520cae3fd599cb77b4b9c744b07548459655ee3/src/map-updater.cc
[modify] https://crrev.com/5520cae3fd599cb77b4b9c744b07548459655ee3/src/objects-debug.cc
[modify] https://crrev.com/5520cae3fd599cb77b4b9c744b07548459655ee3/src/objects-inl.h
[modify] https://crrev.com/5520cae3fd599cb77b4b9c744b07548459655ee3/src/objects-printer.cc
[modify] https://crrev.com/5520cae3fd599cb77b4b9c744b07548459655ee3/src/objects.cc
[modify] https://crrev.com/5520cae3fd599cb77b4b9c744b07548459655ee3/src/objects.h
[modify] https://crrev.com/5520cae3fd599cb77b4b9c744b07548459655ee3/src/objects/map.h
[modify] https://crrev.com/5520cae3fd599cb77b4b9c744b07548459655ee3/src/transitions-inl.h
[modify] https://crrev.com/5520cae3fd599cb77b4b9c744b07548459655ee3/src/transitions.cc
[modify] https://crrev.com/5520cae3fd599cb77b4b9c744b07548459655ee3/src/transitions.h
[modify] https://crrev.com/5520cae3fd599cb77b4b9c744b07548459655ee3/test/cctest/test-field-type-tracking.cc
[delete] https://crrev.com/b1f0e653f48afe9e9d378a3d97c70f9a03582a78/test/mjsunit/regress/regress-crbug-738763.js
[delete] https://crrev.com/b1f0e653f48afe9e9d378a3d97c70f9a03582a78/test/mjsunit/regress/regress-crbug-742346.js
[delete] https://crrev.com/b1f0e653f48afe9e9d378a3d97c70f9a03582a78/test/mjsunit/regress/regress-crbug-742381.js

Project Member

Comment 7 by bugdroid1@chromium.org, Jul 24 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/21e7f083851e211cb2af062371d5e3656ec5f38a

commit 21e7f083851e211cb2af062371d5e3656ec5f38a
Author: Igor Sheludko <ishell@chromium.org>
Date: Mon Jul 24 06:34:12 2017

[runtime] Don't track "class" field types for arrays with properties.

... in order to avoid the need to update field types through elements
kind transitions.

Bug:  chromium:738763 ,  chromium:745844 
Change-Id: I9f0e7f321e7f44ab5b36c06dd4c5633611370807
Reviewed-on: https://chromium-review.googlesource.com/581647
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46830}
[modify] https://crrev.com/21e7f083851e211cb2af062371d5e3656ec5f38a/src/objects.cc
[modify] https://crrev.com/21e7f083851e211cb2af062371d5e3656ec5f38a/src/objects.h
[modify] https://crrev.com/21e7f083851e211cb2af062371d5e3656ec5f38a/src/objects/map.h
[modify] https://crrev.com/21e7f083851e211cb2af062371d5e3656ec5f38a/test/cctest/test-field-type-tracking.cc
[add] https://crrev.com/21e7f083851e211cb2af062371d5e3656ec5f38a/test/mjsunit/regress/regress-crbug-738763.js

Project Member

Comment 8 by bugdroid1@chromium.org, Jul 25 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c558369af2f4a53d4b9fdff9534fdc202f27c098

commit c558369af2f4a53d4b9fdff9534fdc202f27c098
Author: Igor Sheludko <ishell@chromium.org>
Date: Tue Jul 25 06:54:46 2017

[runtime] Don't create "class" field types for arrays' fields.

... when reconfiguring const fields to mutable fields.

Bug:  chromium:747979 ,  chromium:738763 ,  chromium:745844 
Change-Id: Ibfac1b875a1da8234966ac10658260f1cc718fe5
Reviewed-on: https://chromium-review.googlesource.com/583647
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46854}
[modify] https://crrev.com/c558369af2f4a53d4b9fdff9534fdc202f27c098/src/map-updater.cc
[modify] https://crrev.com/c558369af2f4a53d4b9fdff9534fdc202f27c098/src/objects-debug.cc
[add] https://crrev.com/c558369af2f4a53d4b9fdff9534fdc202f27c098/test/mjsunit/regress/regress-crbug-747979.js

Project Member

Comment 9 by bugdroid1@chromium.org, Jul 28 2017

Labels: merge-merged-6.1

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b9b0a2e72ef15cd9e30a6bd99f343a9aa7fc26c6

commit b9b0a2e72ef15cd9e30a6bd99f343a9aa7fc26c6
Author: ishell@chromium.org <ishell@chromium.org>
Date: Fri Jul 28 09:33:02 2017

Merged: Squashed multiple commits.

Merged: [runtime] Don't track "class" field types for arrays with properties.
Revision: 21e7f083851e211cb2af062371d5e3656ec5f38a

Merged: [runtime] Don't create "class" field types for arrays' fields.
Revision: c558369af2f4a53d4b9fdff9534fdc202f27c098

Merged: [runtime] Don't create class field types for arrays' fields.
Revision: 10e4fe3d32c5ca205948ca44f4f2b9edd50b7755

BUG= chromium:738763 , chromium:745844 , chromium:747979 , chromium:748539 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=hablich@chromium.org

Change-Id: I73e305aacfb532121f1621078a46f465cf463b05
Reviewed-on: https://chromium-review.googlesource.com/590230
Reviewed-by: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.1@{#22}
Cr-Branched-From: 1bf2e10ddb194d4c2871a87a4732613419de892d-refs/heads/6.1.534@{#1}
Cr-Branched-From: e825c4318eb2065ffdf9044aa6a5278635c36427-refs/heads/master@{#46746}
[modify] https://crrev.com/b9b0a2e72ef15cd9e30a6bd99f343a9aa7fc26c6/src/map-updater.cc
[modify] https://crrev.com/b9b0a2e72ef15cd9e30a6bd99f343a9aa7fc26c6/src/map-updater.h
[modify] https://crrev.com/b9b0a2e72ef15cd9e30a6bd99f343a9aa7fc26c6/src/objects-debug.cc
[modify] https://crrev.com/b9b0a2e72ef15cd9e30a6bd99f343a9aa7fc26c6/src/objects.cc
[modify] https://crrev.com/b9b0a2e72ef15cd9e30a6bd99f343a9aa7fc26c6/src/objects.h
[modify] https://crrev.com/b9b0a2e72ef15cd9e30a6bd99f343a9aa7fc26c6/src/objects/map-inl.h
[modify] https://crrev.com/b9b0a2e72ef15cd9e30a6bd99f343a9aa7fc26c6/src/objects/map.h
[modify] https://crrev.com/b9b0a2e72ef15cd9e30a6bd99f343a9aa7fc26c6/test/cctest/test-field-type-tracking.cc
[add] https://crrev.com/b9b0a2e72ef15cd9e30a6bd99f343a9aa7fc26c6/test/mjsunit/regress/regress-crbug-738763.js
[add] https://crrev.com/b9b0a2e72ef15cd9e30a6bd99f343a9aa7fc26c6/test/mjsunit/regress/regress-crbug-747979.js
[add] https://crrev.com/b9b0a2e72ef15cd9e30a6bd99f343a9aa7fc26c6/test/mjsunit/regress/regress-crbug-748539.js

Project Member

Comment 10 by bugdroid1@chromium.org, Jul 28 2017

Labels: merge-merged-6.0

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/02d47a027fac8057e7e3923ad1d488ecad3a5381

commit 02d47a027fac8057e7e3923ad1d488ecad3a5381
Author: ishell@chromium.org <ishell@chromium.org>
Date: Fri Jul 28 11:25:20 2017

Merged: Squashed multiple commits.

Merged: [runtime] Don't track "class" field types for arrays with properties.
Revision: 21e7f083851e211cb2af062371d5e3656ec5f38a

Merged: [runtime] Don't create "class" field types for arrays' fields.
Revision: c558369af2f4a53d4b9fdff9534fdc202f27c098

Merged: [runtime] Don't create class field types for arrays' fields.
Revision: 10e4fe3d32c5ca205948ca44f4f2b9edd50b7755

BUG= chromium:738763 , chromium:745844 , chromium:747979 , chromium:748539 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=hablich@chromium.org

Change-Id: I4e3b4717aca1516aa3b531afd23313f6c24cb4c4
Reviewed-on: https://chromium-review.googlesource.com/590232
Reviewed-by: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.0@{#99}
Cr-Branched-From: 97dbf624a5eeffb3a8df36d24cdb2a883137385f-refs/heads/6.0.286@{#1}
Cr-Branched-From: 12e6f1cb5cd9616da7b9d4a7655c088778a6d415-refs/heads/master@{#45439}
[modify] https://crrev.com/02d47a027fac8057e7e3923ad1d488ecad3a5381/src/map-updater.cc
[modify] https://crrev.com/02d47a027fac8057e7e3923ad1d488ecad3a5381/src/map-updater.h
[modify] https://crrev.com/02d47a027fac8057e7e3923ad1d488ecad3a5381/src/objects-debug.cc
[modify] https://crrev.com/02d47a027fac8057e7e3923ad1d488ecad3a5381/src/objects.cc
[modify] https://crrev.com/02d47a027fac8057e7e3923ad1d488ecad3a5381/src/objects.h
[modify] https://crrev.com/02d47a027fac8057e7e3923ad1d488ecad3a5381/src/objects/map-inl.h
[modify] https://crrev.com/02d47a027fac8057e7e3923ad1d488ecad3a5381/src/objects/map.h
[modify] https://crrev.com/02d47a027fac8057e7e3923ad1d488ecad3a5381/test/cctest/test-field-type-tracking.cc
[add] https://crrev.com/02d47a027fac8057e7e3923ad1d488ecad3a5381/test/mjsunit/regress/regress-crbug-738763.js
[add] https://crrev.com/02d47a027fac8057e7e3923ad1d488ecad3a5381/test/mjsunit/regress/regress-crbug-747979.js
[add] https://crrev.com/02d47a027fac8057e7e3923ad1d488ecad3a5381/test/mjsunit/regress/regress-crbug-748539.js

Comment 11 by ofrobots@google.com, Oct 10 2017

Labels: NodeJS-Backport-Done

Project Member

Comment 12 by sheriffbot@chromium.org, Oct 25 2017

Labels: -Restrict-View-SecurityNotify allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 13 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

►

Issue 745844 link

Issue metadata

CHECK failure: !field_type->NowStable() || field_type->NowContains(value) || (!FLAG_use_allocat

Issue description

Comment 1 by ishell@chromium.org, Jul 19 2017

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Jul 19 2017

Comment 2 Deleted

Comment 3 by ishell@chromium.org, Jul 19 2017

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, Jul 19 2017

Comment 4 Deleted

Comment 5 by ClusterFuzz, Jul 20 2017

Comment 5 Deleted

Comment 6 by bugdroid1@chromium.org, Jul 24 2017

Comment 6 Deleted

Comment 7 by bugdroid1@chromium.org, Jul 24 2017

Comment 7 Deleted

Comment 8 by bugdroid1@chromium.org, Jul 25 2017

Comment 8 Deleted

Comment 9 by bugdroid1@chromium.org, Jul 28 2017

Comment 9 Deleted

Comment 10 by bugdroid1@chromium.org, Jul 28 2017

Comment 10 Deleted

Comment 11 by ofrobots@google.com, Oct 10 2017

Comment 11 Deleted

Comment 12 by sheriffbot@chromium.org, Oct 25 2017

Comment 12 Deleted

Comment 13 by sheriffbot@chromium.org, Jul 28

Comment 13 Deleted

Sign in to add a comment