New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 793689 link

Starred by 1 user
Status: Duplicate
Merged: issue 793671
Owner:
mtrofin@chromium.org
Last visit > 30 days ago
Closed: Dec 2017
Cc:
caitp@chromium.org
adamk@chromium.org
titzer@chromium.org
dschuff@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug

Blocking:
issue v8:6876



Sign in to add a comment

Null-dereference READ in instance_type

Project Member Reported by ClusterFuzz, Dec 10 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5161446462980096

Fuzzer: mbarbella_js_mutation
Job Type: mac_asan_d8_dbg
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  instance_type
  IsFixedArray
  set
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_d8_dbg&range=49976:49977

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5161446462980096

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Dec 10 2017

Labels: Test-Predator-Auto-Owner
Owner: ca...@igalia.com
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/84a71a585a4d4c6e868131b6ab5cb56f163abce2 ([parser] classify binding pattern errors when parsing await expression).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 2 by caitp@chromium.org, Dec 11 2017

Cc: caitp@chromium.org
Owner: mtrofin@chromium.org
This failure has nothing to do with my CL (It's failing in the preceding commit f3897c7e9e643f639a8772c31087b9f4d98eaeb3). I'm suspicious that clusterfuzz automatically assigns bugs when it finds a non-@google.com/@chromium.com author in a failing patch before finding the actual cause. That's really a very bad thing to do, because it's a detractor for non-googler contributors, and it gets in the way of finding the actual problem.

If I had to guess, it looks related to 59f221740c942f8e7d8cef87b1a09de353ba359a and the related patches after it (possibly only visible after f2e19a63873a700e6c0a1bca35e8301bd50db4e1 (--future in the repro command line), but I don't have time to dig into details and find the proper responsible commit right now.

Comment 3 by caitp@chromium.org, Dec 11 2017

Components: -Blink>JavaScript Blink>JavaScript>WebAssembly
Labels: -Test-Predator-Auto-Owner Test-Predator-Wrong

Comment 4 by mtrofin@chromium.org, Dec 11 2017

Labels: -Pri-1 Pri-2
Status: Started (was: Assigned)
Very likely this is a duplicate of chromium:793671. I'll validate once the fix for that lands.

Lowering priority, because this is a bug happening under the --future flag only.

Comment 5 by mtrofin@chromium.org, Dec 11 2017

Blocking: v8:6876
Project Member

Comment 6 by ClusterFuzz, Dec 13 2017 

ClusterFuzz has detected this issue as fixed in range 50002:50003.

Detailed report: https://clusterfuzz.com/testcase?key=5161446462980096

Fuzzer: mbarbella_js_mutation
Job Type: mac_asan_d8_dbg
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  instance_type
  IsFixedArray
  set
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_d8_dbg&range=49976:49977
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_d8_dbg&range=50002:50003

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5161446462980096

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 7 by mtrofin@chromium.org, Dec 13 2017

Mergedinto: 793671
Status: Duplicate (was: Started)
#6 confirms my hypothesis (#4).

Sign in to add a comment