Issue metadata
Sign in to add a comment
|
CHECK failure: scope_data_->RemainingBytes() >= kUint8Size in preparsed-scope-data.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5464031245893632 Fuzzer: decoder_langfuzz Job Type: linux_ubsan_vptr_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: scope_data_->RemainingBytes() >= kUint8Size in preparsed-scope-data.cc Sanitizer: undefined (UBSAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5464031245893632 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 4 2017
Looking. Probably a bug related to sloppy block function hoisting (in the preparser) when the catch variable name clashes with the function name.
,
Oct 4 2017
,
Oct 4 2017
,
Oct 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f6f5bafe4133038112d7e00426957c167bc5966d commit f6f5bafe4133038112d7e00426957c167bc5966d Author: Marja Hölttä <marja@chromium.org> Date: Thu Oct 05 12:00:45 2017 [parser] Skipping inner funcs: Fix hoisting. The catch variable is a special VAR-mode variable which is not in a declaration scope. Normally creating such a variable is not possible with DeclareVariable, but Parser bypasses it by calling DeclareLocal directly (which doesn't have the hoisting check). PreParser used to cut corners and declare the catch variable as a LET-mode variable to prevent hoisting. But since LET and VAR variables behave differently when deciding whether they block sloppy block function hoisting, that approach doesn't fly. BUG= v8:5516 , chromium:771474 Change-Id: Ic6f5f4996416c9fa59132725c8b0b6b570c72f48 Reviewed-on: https://chromium-review.googlesource.com/700634 Commit-Queue: Marja Hölttä <marja@chromium.org> Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/master@{#48308} [modify] https://crrev.com/f6f5bafe4133038112d7e00426957c167bc5966d/src/ast/scopes.cc [modify] https://crrev.com/f6f5bafe4133038112d7e00426957c167bc5966d/src/ast/scopes.h [modify] https://crrev.com/f6f5bafe4133038112d7e00426957c167bc5966d/src/parsing/preparser.h [modify] https://crrev.com/f6f5bafe4133038112d7e00426957c167bc5966d/test/cctest/parsing/test-preparser.cc [modify] https://crrev.com/f6f5bafe4133038112d7e00426957c167bc5966d/test/mjsunit/skipping-inner-functions.js
,
Oct 7 2017
ClusterFuzz has detected this issue as fixed in range 48307:48308. Detailed report: https://clusterfuzz.com/testcase?key=5464031245893632 Fuzzer: decoder_langfuzz Job Type: linux_ubsan_vptr_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: scope_data_->RemainingBytes() >= kUint8Size in preparsed-scope-data.cc Sanitizer: undefined (UBSAN) Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=48307:48308 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5464031245893632 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 7 2017
ClusterFuzz testcase 5464031245893632 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 7 2017
,
Oct 16 2017
,
Oct 16 2017
,
Oct 27 2017
,
Oct 27 2017
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 27 2017
+awhalley@ (Security TPM) for M63 merge review
,
Oct 30 2017
No 63 merge needed.
,
Dec 4 2017
,
Jan 13 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mstarzinger@chromium.org
, Oct 4 2017Owner: marja@chromium.org
Status: Assigned (was: Untriaged)
Seems to be caused by "--preparser-scope-analysis". Reproduces nicely. The following is a reduced repro and triggers slightly different asserts between release and debug mode. function f() { try { } catch(e) { if (false) { function e() { return 42 } } } } f();