Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/3f4536894ac3001c53256d08d1e85aa442eb0f02 (d8: Make in process stack dumping optional).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Oliver, please feel free to un-assign if it's not related to your change.

Nope before Oliver's change, we didn't get the sigill stack right, that is why wrong regression range.

ishell@, can you please find an owner.

Reproduces on TOT and the problem was already there in mid-May.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Requires --function-context-specialization, which is not shipped, hence lowering priority. Will investigate.

Somewhat reduced and cleaned up repro ...

// Flags: --allow-natives-syntax --expose-gc --function-context-specialization

function f() {
  var o = {};
  function g() {
    o.x = 1;
    return Object.create(o);
  };
  gc();
  o.x = 10;
  %OptimizeFunctionOnNextCall(g);
  g();
}
f();
f();

Friendly ping. :) Any movement in the last week?

Per #5, this impacts Stable, right? (Even though hidden behind the flag.)

mstarzinger: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a90503d8a9526f9a3e3df4e24e68c8aea1c74f14

commit a90503d8a9526f9a3e3df4e24e68c8aea1c74f14
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Thu Dec 14 11:21:10 2017

[compiler] Prevent dependency invalidation in release mode.

This makes sure that breaking dependencies during compilation is also
caught properly in release mode (not only in debug mode). When this
happens the generated code would be invalid from the beginning and we
need to prevent using such code.

R=bmeurer@chromium.org
BUG= chromium:794394 , chromium:786723 

Change-Id: I76fd85786c16807389f69a9c44b9f893004b1c6f
Reviewed-on: https://chromium-review.googlesource.com/826635
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50105}
[modify] https://crrev.com/a90503d8a9526f9a3e3df4e24e68c8aea1c74f14/src/compiler.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4a7eec590c81a2f953ea5526d9c8731ac4042efb

commit 4a7eec590c81a2f953ea5526d9c8731ac4042efb
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Fri Dec 15 12:36:34 2017

[turbofan] Fix prototype mutation in Object.create lowering.

This makes sure the builtin lowering of Object.create doesn't invalidate
any previously taken dependencies. Aborting compilation after such cases
would lead to repeating optimization attempts without learning, hence we
disallow such situations.

R=verwaest@chromium.org
BUG= chromium:794394 , chromium:786723 

Change-Id: I6b6928cab19692bbbe3cd241ade862a2306eb0c7
Reviewed-on: https://chromium-review.googlesource.com/827066
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50128}
[modify] https://crrev.com/4a7eec590c81a2f953ea5526d9c8731ac4042efb/src/compiler/js-builtin-reducer.cc
[modify] https://crrev.com/4a7eec590c81a2f953ea5526d9c8731ac4042efb/src/objects.cc
[modify] https://crrev.com/4a7eec590c81a2f953ea5526d9c8731ac4042efb/src/objects/map.h
[add] https://crrev.com/4a7eec590c81a2f953ea5526d9c8731ac4042efb/test/mjsunit/regress/regress-crbug-786723.js

ClusterFuzz has detected this issue as fixed in range 50127:50128.

Detailed report: https://clusterfuzz.com/testcase?key=6497670079447040

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !compilation_info()->dependencies() || !compilation_info()->dependencies()->HasA
  v8::internal::CompilationJob::FinalizeJob
  GetOptimizedCodeNow
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=45141:45142
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50127:50128

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6497670079447040

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6497670079447040 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M64 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

abdulsyed@ - good for M64

Thanks - mstarzinger@ can you please confirm if this well tested in Canary/Dev, and safe to merge?

it's had 8 days in Dev at this point

As mstarzinger@ is OOO, can you please merge it back to 64, Jaro?

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/422d8c525a4975e1490235199cdbd41cf04688f5

commit 422d8c525a4975e1490235199cdbd41cf04688f5
Author: Jaroslav Sevcik <jarin@chromium.org>
Date: Tue Jan 02 15:43:55 2018

Merged: [turbofan] Fix prototype mutation in Object.create lowering.

Revision: 4a7eec590c81a2f953ea5526d9c8731ac4042efb

BUG= chromium:786723 , chromium:794394 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=hablich@chromium.org

Change-Id: I3677b90514a710e6dcffe27a346de6ec895859f6
Reviewed-on: https://chromium-review.googlesource.com/847483
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.4@{#24}
Cr-Branched-From: 0407506af3d9d7e2718be1d8759296165b218fcf-refs/heads/6.4.388@{#1}
Cr-Branched-From: a5fc4e085ee543cb608eb11034bc8f147ba388e1-refs/heads/master@{#49724}
[modify] https://crrev.com/422d8c525a4975e1490235199cdbd41cf04688f5/src/compiler/js-builtin-reducer.cc
[modify] https://crrev.com/422d8c525a4975e1490235199cdbd41cf04688f5/src/objects.cc
[modify] https://crrev.com/422d8c525a4975e1490235199cdbd41cf04688f5/src/objects/map.h
[add] https://crrev.com/422d8c525a4975e1490235199cdbd41cf04688f5/test/mjsunit/regress/regress-crbug-786723.js

Please merge the approved cl(s) to M64 release branch 3282 as soon as possible.

Has already been merged (see comment #24), thanks Jaro.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot