Issue 793863 link

Starred by 1 user

Issue metadata

Status:	Verified
Owner:	jarin@chromium.org
Closed:	Dec 2017
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	Linux , Android , Windows , Chrome , Mac
Pri:	1
Type:	Bug-Security
Reproducible Security_Impact-Stable Security_Severity-High allpublic Clusterfuzz ClusterFuzz-Verified M-65 Test-Predator-Auto-Owner

CHECK failure: arg_elements == isolate->heap()->empty_fixed_array() in objects-debug.cc

Project Member Reported by ClusterFuzz, Dec 11 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4779895258611712

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  arg_elements == isolate->heap()->empty_fixed_array() in objects-debug.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=49981:49982

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4779895258611712

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Project Member

Comment 1 by ClusterFuzz, Dec 11 2017

Labels: Test-Predator-Auto-Owner
Owner: jarin@chromium.org
Status: Assigned (was: Untriaged)

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/1da91b838989cebaca89d7826df23a067bae077a (Reland "[deoptimizer] Staged materialization of objects.").

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 2 by elawrence@chromium.org, Dec 11 2017

Labels: Security_Impact-Head M-65 OS-Android OS-Chrome OS-Mac OS-Windows Pri-1

Project Member

Comment 3 by bugdroid1@chromium.org, Dec 12 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/bee8c168958030946f0f89fde60673aa4d3b43a1

commit bee8c168958030946f0f89fde60673aa4d3b43a1
Author: Jaroslav Sevcik <jarin@chromium.org>
Date: Tue Dec 12 12:56:13 2017

[deoptimizer] Use empty fixed array when materializing empty arguments elements.

Bug:  chromium:793863 
Change-Id: I68860924c3252184f63dbea8561e5c4fe6bfa4ca
Reviewed-on: https://chromium-review.googlesource.com/822071
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50028}
[modify] https://crrev.com/bee8c168958030946f0f89fde60673aa4d3b43a1/src/deoptimizer.cc
[add] https://crrev.com/bee8c168958030946f0f89fde60673aa4d3b43a1/test/mjsunit/compiler/regress-793863.js

Project Member

Comment 4 by ClusterFuzz, Dec 13 2017

ClusterFuzz has detected this issue as fixed in range 50027:50028.

Detailed report: https://clusterfuzz.com/testcase?key=4779895258611712

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  arg_elements == isolate->heap()->empty_fixed_array() in objects-debug.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=49981:49982
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=50027:50028

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4779895258611712

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 5 by ClusterFuzz, Dec 13 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)

ClusterFuzz testcase 4779895258611712 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Project Member

Comment 6 by sheriffbot@chromium.org, Dec 13 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Project Member

Comment 7 by bugdroid1@chromium.org, Dec 14 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/917b9cb9fc465a03178632ab211bbb30af08b56d

commit 917b9cb9fc465a03178632ab211bbb30af08b56d
Author: Michael Hablich <hablich@chromium.org>
Date: Thu Dec 14 08:33:20 2017

Revert "[deoptimizer] Use empty fixed array when materializing empty arguments elements."

This reverts commit bee8c168958030946f0f89fde60673aa4d3b43a1.

Reason for revert: blocks roll https://chromium-review.googlesource.com/c/chromium/src/+/822232

Original change's description:
> [deoptimizer] Use empty fixed array when materializing empty arguments elements.
>
> Bug:  chromium:793863 
> Change-Id: I68860924c3252184f63dbea8561e5c4fe6bfa4ca
> Reviewed-on: https://chromium-review.googlesource.com/822071
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50028}

TBR=jarin@chromium.org,tebbi@chromium.org

NOTRY=true

Bug:  chromium:793863 
Change-Id: Iee622cd96333671277029fdd766f4ea137c9efc2
Reviewed-on: https://chromium-review.googlesource.com/826962
Commit-Queue: Michael Hablich <hablich@chromium.org>
Reviewed-by: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50098}
[modify] https://crrev.com/917b9cb9fc465a03178632ab211bbb30af08b56d/src/deoptimizer.cc
[delete] https://crrev.com/9d3e0774c9ad60daacac47e32c262f0d1ece17d7/test/mjsunit/compiler/regress-793863.js

Project Member

Comment 8 by bugdroid1@chromium.org, Dec 15 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d6e68f433431732b21d9b2d9692e31a4f86319fa

commit d6e68f433431732b21d9b2d9692e31a4f86319fa
Author: Jaroslav Sevcik <jarin@chromium.org>
Date: Fri Dec 15 05:55:39 2017

Reland "[deoptimizer] Use empty fixed array when materializing empty arguments elements."

This reverts commit 917b9cb9fc465a03178632ab211bbb30af08b56d.

In this CL, we canonicalize the fixed array when allocating storage for
empty fixed array. During initialization, we also make sure that we do
not write to the empty fixed array. This is quite hacky, but it
seems to be the least intrusive change.

Bug:  chromium:793863 
Change-Id: I1449ebac7c1e390467566a759bf70e7e2fabda31
Reviewed-on: https://chromium-review.googlesource.com/827013
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50119}
[modify] https://crrev.com/d6e68f433431732b21d9b2d9692e31a4f86319fa/src/deoptimizer.cc
[add] https://crrev.com/d6e68f433431732b21d9b2d9692e31a4f86319fa/test/mjsunit/compiler/regress-793863.js

Project Member

Comment 9 by sheriffbot@chromium.org, Mar 21 2018

Labels: -Restrict-View-SecurityNotify allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 10 by sheriffbot@chromium.org, Mar 27 2018

Labels: -Security_Impact-Head Security_Impact-Stable

►

Issue 793863 link

Issue metadata

CHECK failure: arg_elements == isolate->heap()->empty_fixed_array() in objects-debug.cc

Issue description

Comment 1 by ClusterFuzz, Dec 11 2017

Comment 1 Deleted

Comment 2 by elawrence@chromium.org, Dec 11 2017

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Dec 12 2017

Comment 3 Deleted

Comment 4 by ClusterFuzz, Dec 13 2017

Comment 4 Deleted

Comment 5 by ClusterFuzz, Dec 13 2017

Comment 5 Deleted

Comment 6 by sheriffbot@chromium.org, Dec 13 2017

Comment 6 Deleted

Comment 7 by bugdroid1@chromium.org, Dec 14 2017

Comment 7 Deleted

Comment 8 by bugdroid1@chromium.org, Dec 15 2017

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, Mar 21 2018

Comment 9 Deleted

Comment 10 by sheriffbot@chromium.org, Mar 27 2018

Comment 10 Deleted

Sign in to add a comment