Null-dereference READ in Relaxed_Load |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6133102861877248 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000002 Crash State: Relaxed_Load map_word map Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48197:48198 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6133102861877248 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 7 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/ac4756360f56aadd42c1cc27925cfee37b01936f (Reland "[turbofan] Implement lowering of {JSCreateClosure}."). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Oct 9 2017
Materialization of JSFunction objects with in-object properties seems to be busted.
,
Oct 9 2017
Issue 772607 has been merged into this issue.
,
Oct 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/c34a29549f0d392f042b08cd59d9082db0292698 commit c34a29549f0d392f042b08cd59d9082db0292698 Author: Michael Starzinger <mstarzinger@chromium.org> Date: Mon Oct 09 14:01:05 2017 [deoptimizer] Fix JSFunction materialization instance size. This ensures the JSFunction objects materialized by the deoptimizer have the correct instance size (depending on the given map). There are corner cases where the instance size might vary due to in-object properties. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-772610 BUG= chromium:772610 Change-Id: I4808c7260db1adbd1cdc3871c2a946475e4934f2 Reviewed-on: https://chromium-review.googlesource.com/707109 Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#48383} [modify] https://crrev.com/c34a29549f0d392f042b08cd59d9082db0292698/src/deoptimizer.cc [add] https://crrev.com/c34a29549f0d392f042b08cd59d9082db0292698/test/mjsunit/regress/regress-crbug-772610.js
,
Oct 9 2017
,
Oct 9 2017
Issue 772875 has been merged into this issue.
,
Oct 10 2017
ClusterFuzz has detected this issue as fixed in range 48382:48383. Detailed report: https://clusterfuzz.com/testcase?key=6133102861877248 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000002 Crash State: Relaxed_Load map_word map Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48197:48198 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48382:48383 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6133102861877248 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 10 2017
ClusterFuzz testcase 5494254125449216 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 7 2017
,
Nov 7 2017
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Oct 7 2017Labels: Test-Predator-AutoComponents