Detailed report: https://clusterfuzz.com/testcase?key=5755933803413504 Fuzzer: inferno_js_fuzzer Job Type: windows_asan_d8 Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000001 Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::Script::Run Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=491722:491739 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5755933803413504 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
Also bisects to 15ef03cbf3a439a99966a6e718e99f0617a9f604 (Reland "[builtins] Port getting property from Proxy to CSA"). Looks like a duplicate of crbug.com/752712 , but needs confirmation.
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/ceb55494bd13eb854b16b4daba1750a27049b106 commit ceb55494bd13eb854b16b4daba1750a27049b106 Author: Maya Lekova <mslekova@google.com> Date: Mon Aug 07 15:57:14 2017 Revert "Reland "[builtins] Port getting property from Proxy to CSA"" This reverts commit 15ef03cbf3a439a99966a6e718e99f0617a9f604. Reason for revert: Found the following bugs Bug: chromium:752846 , chromium:752712 , chromium:752850 Original change's description: > Reland "[builtins] Port getting property from Proxy to CSA" > > This reland is after fix in [heap] Delete wrong DCHECK. > It includes moving ProxyGetProperty to its own stub to reduce > binary size. > > This is a reland of 47a97aa53bcc0f44c1609633795b2c147a010ba5 > Original change's description: > > [builtins] Port getting property from Proxy to CSA > > > > Bug: v8:6559, v8:6557 > > Change-Id: If6c51f5483adb73ddd2495cede5d85e887a3c298 > > Reviewed-on: https://chromium-review.googlesource.com/589212 > > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> > > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> > > Commit-Queue: Maya Lekova <mslekova@google.com> > > Cr-Commit-Position: refs/heads/master@{#47113} > > Bug: v8:6559, v8:6557 > Change-Id: I76acd97ba1acb62b7e7983db1741441d997050f0 > Reviewed-on: https://chromium-review.googlesource.com/600215 > Commit-Queue: Maya Lekova <mslekova@google.com> > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Franziska Hinkelmann <franzih@chromium.org> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> > Cr-Commit-Position: refs/heads/master@{#47159} TBR=jkummerow@chromium.org,mstarzinger@chromium.org,franzih@chromium.org,jgruber@chromium.org,ishell@chromium.org,bmeurer@chromium.org,mslekova@google.com # Not skipping CQ checks because original CL landed > 1 day ago. Change-Id: I51bef25a031b02cf4deab11282473acae57f1ed3 Reviewed-on: https://chromium-review.googlesource.com/603708 Commit-Queue: Maya Lekova <mslekova@google.com> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47200} [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/BUILD.gn [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/src/builtins/builtins-definitions.h [delete] https://crrev.com/a704cc7932faa3558386ae163a6ff55f78aa5f2c/src/builtins/builtins-proxy-helpers-gen.cc [delete] https://crrev.com/a704cc7932faa3558386ae163a6ff55f78aa5f2c/src/builtins/builtins-proxy-helpers-gen.h [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/src/code-stub-assembler.cc [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/src/code-stub-assembler.h [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/src/ic/accessor-assembler.cc [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/src/ic/handler-configuration-inl.h [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/src/ic/handler-configuration.h [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/src/ic/ic.cc [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/src/ic/ic.h [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/src/objects.cc [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/src/objects.h [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/src/objects/map.h [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/src/runtime/runtime-proxy.cc [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/src/runtime/runtime.h [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/src/v8.gyp [modify] https://crrev.com/ceb55494bd13eb854b16b4daba1750a27049b106/test/mjsunit/es6/proxies-get.js
ClusterFuzz has detected this issue as fixed in range 492361:492517. Detailed report: https://clusterfuzz.com/testcase?key=5755933803413504 Fuzzer: inferno_js_fuzzer Job Type: windows_asan_d8 Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000001 Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::Script::Run Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=491722:491739 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=492361:492517 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5755933803413504 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
ClusterFuzz testcase 5755933803413504 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Comment 1 by clemensh@chromium.org
, Aug 7 2017Owner: fran...@chromium.org
Status: Assigned (was: Untriaged)