DCHECK failure in raw_properties_or_hash()->IsDictionary() == map()->is_dictionary_map() in object |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6222290936397824 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: raw_properties_or_hash()->IsDictionary() == map()->is_dictionary_map() in object HasFastProperties v8::internal::JSReceiver::property_dictionary Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48929:48930 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6222290936397824 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 31 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/b1aaa6af5d6d95dba407d88af6d1bca765c4305c ([es2015] Unify hash storage for JSProxy and JSGlobalProxy.). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Oct 31 2017
Here's a simplified repro:
assertThrows(function() {
const p = new Proxy({}, {});
(new Set).add(p); // compute the hash code for p
null[p] = 0;
});
Somehow the LookupIterator walks into LookupIterator::LookupInRegularHolder for the JSProxy p while constructing the error message, which doesn't look right. Assigning to jkummerow@ for investigation.
,
Oct 31 2017
LookupInRegularHolder is fine, "regular" just means "no interceptors, no access checks". It takes a JSReceiver, so Proxies are handled there. The only problem is an outdated DCHECK in HasFastProperties: https://chromium-review.googlesource.com/#/c/v8/v8/+/747272
,
Oct 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/a5b0d640c2670243b800bff1273f6afc39cc4a37 commit a5b0d640c2670243b800bff1273f6afc39cc4a37 Author: Jakob Kummerow <jkummerow@chromium.org> Date: Tue Oct 31 18:06:43 2017 Fix DCHECK in HasFastProperties Objects with both dictionary and non-dictionary maps can store their hash in the {properties} field when they have no other properties. Bug: chromium:778952 Change-Id: I8ac8c31eaac32116415e3c65cef8dee260dca2c9 Reviewed-on: https://chromium-review.googlesource.com/747272 Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#49056} [modify] https://crrev.com/a5b0d640c2670243b800bff1273f6afc39cc4a37/src/objects-inl.h [add] https://crrev.com/a5b0d640c2670243b800bff1273f6afc39cc4a37/test/mjsunit/regress/regress-crbug-778952.js
,
Oct 31 2017
,
Nov 1 2017
ClusterFuzz has detected this issue as fixed in range 49055:49056. Detailed report: https://clusterfuzz.com/testcase?key=6222290936397824 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: raw_properties_or_hash()->IsDictionary() == map()->is_dictionary_map() in object HasFastProperties v8::internal::JSReceiver::property_dictionary Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48929:48930 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49055:49056 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6222290936397824 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 1 2017
ClusterFuzz testcase 6222290936397824 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 7 2017
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by sheriffbot@chromium.org
, Oct 27 2017