Issue metadata
Sign in to add a comment
|
DCHECK failure in result->owns_descriptors() in objects.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5354029789216768 Fuzzer: mbarbella_js_mutation Job Type: mac_asan_d8_dbg Platform Id: mac Crash Type: DCHECK failure Crash Address: Crash State: result->owns_descriptors() in objects.cc Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5354029789216768 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 20 2017
,
Aug 21 2017
rossberg: Assigning to you (v8 sheriff) to help triage, since CF couldn't find a regression range.
,
Aug 23 2017
rossberg@ is on vacation.
,
Aug 23 2017
Assigning to new on-duty sheriff.
,
Aug 24 2017
Somewhat reduced repro ...
var obj1 = {};
var obj2 = {};
function h() {}
h.prototype = obj2;
function g(v) {
v.constructor;
}
function f() {
g(obj1);
}
obj1.x = 0;
f();
obj1.__defineGetter__("x", function() {});
%OptimizeFunctionOnNextCall(f);
g(obj2);
obj2.y = 0;
f();
,
Aug 24 2017
The Map we are trying to find the root map for looks "weird", descriptor array being the EmptyFixedArray but the map not owning it ... I will need help from the runtime team with this ...
,
Aug 24 2017
Actually pasting the map ... 0x1f8bcaa8d519: [Map] - type: JS_OBJECT_TYPE - instance size: 56 - inobject properties: 4 - elements kind: HOLEY_ELEMENTS - unused property fields: 4 - enum length: invalid - prototype_map - prototype info: 0 - instance descriptors #0: 0x8839ea02231 <FixedArray[0]> - layout descriptor: 0 - prototype: 0x338152f845f9 <Object map = 0x1f8bcaa822b1> - constructor: 0x338152f84631 <JSFunction Object (sfi = 0x8839ea0c3d9)> - code cache: 0x8839ea02241 <FixedArray[0]> - dependent code: 0x8839ea02241 <FixedArray[0]> - construction counter: 0
,
Aug 24 2017
We should actually not look at that prototype map anymore.
,
Aug 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/8974b75bce037555cb93c4d501176986dd0dc935 commit 8974b75bce037555cb93c4d501176986dd0dc935 Author: Camillo Bruni <cbruni@chromium.org> Date: Thu Aug 24 16:55:13 2017 [runtime] Deprecate old prototype maps Bug: chromium:757199 Change-Id: I5936fab1784ebf8de6eddd3b2bec0e2cf1b73f82 Reviewed-on: https://chromium-review.googlesource.com/632317 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#47581} [modify] https://crrev.com/8974b75bce037555cb93c4d501176986dd0dc935/src/feedback-vector.cc [modify] https://crrev.com/8974b75bce037555cb93c4d501176986dd0dc935/src/objects.cc [add] https://crrev.com/8974b75bce037555cb93c4d501176986dd0dc935/test/mjsunit/regress/regress-crbug-757199.js
,
Aug 25 2017
ClusterFuzz has detected this issue as fixed in range 47580:47581. Detailed report: https://clusterfuzz.com/testcase?key=5354029789216768 Fuzzer: mbarbella_js_mutation Job Type: mac_asan_d8_dbg Platform Id: mac Crash Type: DCHECK failure Crash Address: Crash State: result->owns_descriptors() in objects.cc v8::internal::Map::FindRootMap v8::internal::compiler::JSNativeContextSpecialization::ExtractReceiverMaps Sanitizer: address (ASAN) Fixed: https://clusterfuzz.com/revisions?job=mac_asan_d8_dbg&range=47580:47581 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5354029789216768 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 25 2017
,
Aug 25 2017
ClusterFuzz testcase 5354029789216768 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 25 2017
revert about to land, initial fixed caused serious performance regressions.
,
Aug 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/0582f029df3ef9eaea7a9260dbffb07614c6cf75 commit 0582f029df3ef9eaea7a9260dbffb07614c6cf75 Author: Camillo Bruni <cbruni@chromium.org> Date: Fri Aug 25 08:59:20 2017 Revert "[runtime] Deprecate old prototype maps" This reverts commit 8974b75bce037555cb93c4d501176986dd0dc935. Reason for revert: In hindsight, the CL made only partially sense and causes unnecessary IC-misses. Original change's description: > [runtime] Deprecate old prototype maps > > Bug: chromium:757199 > Change-Id: I5936fab1784ebf8de6eddd3b2bec0e2cf1b73f82 > Reviewed-on: https://chromium-review.googlesource.com/632317 > Reviewed-by: Igor Sheludko <ishell@chromium.org> > Commit-Queue: Camillo Bruni <cbruni@chromium.org> > Cr-Commit-Position: refs/heads/master@{#47581} TBR=cbruni@chromium.org,ishell@chromium.org Change-Id: I9f43a5f8c5242f575346f47c24377dd832eeccd1 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:757199 Reviewed-on: https://chromium-review.googlesource.com/634906 Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#47594} [modify] https://crrev.com/0582f029df3ef9eaea7a9260dbffb07614c6cf75/src/feedback-vector.cc [modify] https://crrev.com/0582f029df3ef9eaea7a9260dbffb07614c6cf75/src/objects.cc [delete] https://crrev.com/2ee967d253f0cc6a7dd61633f1176489711ef8a3/test/mjsunit/regress/regress-crbug-757199.js
,
Aug 25 2017
Additional secondary test-case:
(0).__defineGetter__(0, function() { });
Number.prototype[0] = "string";
,
Aug 25 2017
,
Aug 25 2017
,
Aug 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/8a7ce927a685d4007e02298881d85c7d5f273777 commit 8a7ce927a685d4007e02298881d85c7d5f273777 Author: Camillo Bruni <cbruni@chromium.org> Date: Fri Aug 25 10:44:29 2017 Don't look at abandoned prototype maps when looking for root maps Bug: chromium:757199 , chromium:758773 , chromium:758821 Change-Id: I70644853770501b13992bd7bf78d168ca2308d64 Reviewed-on: https://chromium-review.googlesource.com/635223 Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#47603} [modify] https://crrev.com/8a7ce927a685d4007e02298881d85c7d5f273777/src/compiler/js-native-context-specialization.cc [add] https://crrev.com/8a7ce927a685d4007e02298881d85c7d5f273777/test/mjsunit/regress/regress-crbug-757199.js [add] https://crrev.com/8a7ce927a685d4007e02298881d85c7d5f273777/test/mjsunit/regress/regress-crbug-758773.js
,
Aug 28 2017
This seems to have sticked and not cause any regressions on the previously affected benchmarks.
,
Aug 28 2017
Awesome. Thanks Camillo!
,
Aug 28 2017
,
Sep 5 2017
,
Sep 15 2017
,
Sep 15 2017
This bug requires manual review: Reverts referenced in bugdroid comments after merge request. Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 15 2017
+awhalley@ - can you please confirm if this needs to be taken for M62?
,
Sep 16 2017
cbruni@ in #20 confirmed this has landed OK in M62 - no merge needed.
,
Sep 16 2017
,
Oct 16 2017
,
Dec 4 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Aug 20 2017