Issue metadata
Sign in to add a comment
|
CHECK failure: frame_state->opcode() == IrOpcode::kFrameState || (node->opcode() == IrOpcode::k |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5786307229122560 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8_dbg Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: frame_state->opcode() == IrOpcode::kFrameState || (node->opcode() == IrOpcode::k v8::platform::PrintStackTrace v8::internal::compiler::Verifier::Visitor::Check Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5786307229122560 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 26 2017
bmeurer@, could you take a look at this issue? Thanks!
,
Nov 26 2017
,
Nov 26 2017
,
Nov 26 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 26 2017
,
Nov 27 2017
+awhalley@
,
Nov 27 2017
,
Nov 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/904c3a1f091d3ff6f19451fced343392a5ec944a commit 904c3a1f091d3ff6f19451fced343392a5ec944a Author: Tobias Tebbi <tebbi@chromium.org> Date: Tue Nov 28 09:09:09 2017 [turbofan] fix dead code elimination: propagate DeadValue along FrameState inputs Bug: chromium:788539 Change-Id: I75b6ef7e486b578f123747d79f52c9eb45a0370e Reviewed-on: https://chromium-review.googlesource.com/792050 Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#49654} [modify] https://crrev.com/904c3a1f091d3ff6f19451fced343392a5ec944a/src/compiler/dead-code-elimination.cc [add] https://crrev.com/904c3a1f091d3ff6f19451fced343392a5ec944a/test/mjsunit/compiler/regress-788539.js
,
Nov 28 2017
,
Nov 28 2017
This issue was introduced by https://chromium-review.googlesource.com/772150, so it doesn't affect M63.
,
Nov 28 2017
,
Nov 28 2017
thanks!
,
Nov 29 2017
ClusterFuzz has detected this issue as fixed in range 49653:49654. Detailed report: https://clusterfuzz.com/testcase?key=5786307229122560 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8_dbg Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: frame_state->opcode() == IrOpcode::kFrameState || (node->opcode() == IrOpcode::k v8::platform::PrintStackTrace v8::internal::compiler::Verifier::Visitor::Check Sanitizer: address (ASAN) Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=49653:49654 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5786307229122560 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 29 2017
ClusterFuzz testcase 5786307229122560 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 6 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
,
Mar 31 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by jialiul@chromium.org
, Nov 26 2017