Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on suspected regression changelists:

Optimize TypedArraySpeciesCreate using SpeciesProtector of Array by cwhan.tunz@gmail.com - https://chromium.googlesource.com/v8/v8/+/8fbc6a05c102189a8f1d2870dd2a4028ab255580

If this is incorrect, please apply the Test-Predator-Wrong-CLs label.

I don't have a permission to access the testcase.

Full stack trace and minimized testcase:
+----------------------------------------Release Build Stacktrace----------------------------------------+
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/d8 --random-seed=192639767 --verify-heap --invoke-weak-callbacks --omit-quit --disable-in-process-stack-traces --future /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-01723.js
[Environment] ASAN_OPTIONS = redzone=32:strict_memcmp=0:allow_user_segv_handler=1:allocator_may_return_null=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=1:alloc_dealloc_mismatch=0:print_scariness=1:max_uar_stack_size_log=16:detect_odr_violation=0:handle_sigill=1:coverage=0:use_sigaltstack=1:fast_unwind_on_fatal=1:detect_leaks=1:print_summary=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=1:symbolize=0:handle_segv=1
#
# Fatal error in ../../src/heap/spaces.cc, line 3363
# Check failed: object->IsAbstractCode() || object->IsSeqString() || object->IsExternalString() || object->IsThinString() || object->IsFixedArray() || object->IsFixedDoubleArray() || object->IsPropertyArray() || object->IsByteArray() || object->IsFeedbackVector() || object->IsBigInt() || object->IsFreeSpace().
#
==== C stack trace ===============================
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/d8(__interceptor_backtrace+0x61) [0x7fa395dd8fa1]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/./libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x13) [0x7fa395d00273]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/./libv8_libplatform.so(+0x2380a) [0x7fa395cb080a]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/./libv8_libbase.so(V8_Fatal(char const*, int, char const*, ...)+0x1ae) [0x7fa395cf002e]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/./libv8.so(v8::internal::LargeObjectSpace::Verify()+0x13c2) [0x7fa39433d932]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/./libv8.so(v8::internal::Heap::Verify()+0x71d) [0x7fa39419375d]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/./libv8.so(v8::internal::Heap::GarbageCollectionPrologue()+0x401) [0x7fa3941923a1]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/./libv8.so(v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags)+0x5ca) [0x7fa3941a1e8a]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/./libv8.so(v8::internal::Heap::FinalizeIncrementalMarkingIfComplete(v8::internal::GarbageCollectionReason)+0x4b4) [0x7fa3941d92f4]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/./libv8.so(v8::internal::IncrementalMarkingJob::Task::RunInternal()+0x37c) [0x7fa39421001c]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/./libv8_libplatform.so(v8::platform::DefaultPlatform::PumpMessageLoop(v8::Isolate*, v8::platform::MessageLoopBehavior)+0x4bb) [0x7fa395cadbab]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/d8(+0x16e970) [0x7fa395e81970]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/d8(v8::Shell::ExecuteString(v8::Isolate*, v8::Local<v8::String>, v8::Local<v8::Value>, bool, bool)+0xe29) [0x7fa395e60b29]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/d8(v8::SourceGroup::Execute(v8::Isolate*)+0x424) [0x7fa395e795d4]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/d8(v8::Shell::RunMain(v8::Isolate*, int, char**, bool)+0x69f) [0x7fa395e8101f]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/d8(v8::Shell::Main(int, char**)+0x1e00) [0x7fa395e85440]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7fa38fef6f45]
/mnt/scratch0/clusterfuzz/slave-bot/builds/v8-asan_linux-debug_1f17dda3b0e56007440db98eafbaad9618b3d0fa/revisions/d8-asan-linux-debug-v8-component-50424/d8(_start+0x2a) [0x7fa395d8e02a]
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2476==ERROR: AddressSanitizer: ILL on unknown address 0x7fa395cfbe8c (pc 0x7fa395cfbe8c bp 0x7ffd135f9790 sp 0x7ffd135f9790 T0)
SCARINESS: 10 (signal)
#0 0x7fa395cfbe8b in v8::base::OS::Abort() src/base/platform/platform-posix.cc:372:5
#1 0x7fa395cf005c in V8_Fatal(char const*, int, char const*, ...) src/base/logging.cc:136:3
#2 0x7fa39433d931 in v8::internal::LargeObjectSpace::Verify() src/heap/spaces.cc:3358:5
#3 0x7fa39419375c in v8::internal::Heap::Verify() src/heap/heap.cc:4735:14
#4 0x7fa3941923a0 in v8::internal::Heap::GarbageCollectionPrologue() src/heap/heap.cc:583:7
#5 0x7fa3941a1e89 in v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) src/heap/heap.cc:1248:5
#6 0x7fa3941d92f3 in CollectAllGarbage src/heap/heap.cc:1110:3
#7 0x7fa3941d92f3 in v8::internal::Heap::FinalizeIncrementalMarkingIfComplete(v8::internal::GarbageCollectionReason) src/heap/heap.cc:4182
#8 0x7fa39421001b in Step src/heap/incremental-marking-job.cc:39:9
#9 0x7fa39421001b in v8::internal::IncrementalMarkingJob::Task::RunInternal() src/heap/incremental-marking-job.cc:63
#10 0x7fa395cadbaa in v8::platform::DefaultPlatform::PumpMessageLoop(v8::Isolate*, v8::platform::MessageLoopBehavior) src/libplatform/default-platform.cc:159:9
#11 0x7fa395e8196f in v8::(anonymous namespace)::ProcessMessages(v8::Isolate*, std::__1::function<v8::platform::MessageLoopBehavior ()>) src/d8.cc:3000:12
#12 0x7fa395e60b28 in EmptyMessageQueues src/d8.cc:3036:10
#13 0x7fa395e60b28 in v8::Shell::ExecuteString(v8::Isolate*, v8::Local<v8::String>, v8::Local<v8::Value>, bool, bool) src/d8.cc:683
#14 0x7fa395e795d3 in v8::SourceGroup::Execute(v8::Isolate*) src/d8.cc:2496:10
#15 0x7fa395e8101e in v8::Shell::RunMain(v8::Isolate*, int, char**, bool) src/d8.cc:2945:34
#16 0x7fa395e8543f in v8::Shell::Main(int, char**) src/d8.cc:3446:16
#17 0x7fa38fef6f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ILL src/base/platform/platform-posix.cc:372:5 in v8::base::OS::Abort()
==2476==ABORTING

Deleted: clusterfuzz-testcase-minimized-5287315428868096.js 87 bytes

clusterfuzz-testcase-minimized-5287315428868096.js 87 bytes View Download

+reviewers of the suspect CL. Can you please follow up on this, thanks!

 Issue 800615  has been merged into this issue.

The repro is 

 v4 = Math.floor(0xFFFFFFFF / 4) + 1; 
 v11 = new Uint8Array(v4); 
 v18 = v11.slice();

We're failing this CHECK in LargeObjectSpace::Verify:

    CHECK(object->IsAbstractCode() || object->IsSeqString() ||
          object->IsExternalString() || object->IsThinString() ||
          object->IsFixedArray() || object->IsFixedDoubleArray() ||
          object->IsPropertyArray() || object->IsByteArray() ||
          object->IsFeedbackVector() || object->IsBigInt() ||
          object->IsFreeSpace());

I'm not sure if the list is incomplete or the CL is buggy. Reverting for now, let's reland with a fix.

+mlippautz, +ulan: Is the CHECK (see #9) incomplete or are typed arrays disallowed in lo-space for a reason?

ClusterFuzz testcase 4870750308925440 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 50469:50470.

Detailed report: https://clusterfuzz.com/testcase?key=5287315428868096

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  object->IsAbstractCode() || object->IsSeqString() || object->IsExternalString() 
  v8::internal::LargeObjectSpace::Verify
  v8::internal::Heap::Verify
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50422:50423
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50469:50470

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5287315428868096

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

After checking back with Hannes and Ulan: The CHECK is a whitelist and typed arrays are fine in large object space. 

Can you create the CL that enables them?

#13: It's being done in https://chromium-review.googlesource.com/c/v8/v8/+/830992.

We don't expect typed arrays in large object space - the only typed arrays that end up on-heap are the ones allocated when the typed array constructor is called with a single length argument, which is less than V8_TYPED_ARRAY_MAX_SIZE_IN_HEAP (64 bytes by default).

The CL in #15 has been updated to not alloc in lo-space.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/3a4f3b73e2f7fb82e1e24cf9be9bcfedf4db65b7

commit 3a4f3b73e2f7fb82e1e24cf9be9bcfedf4db65b7
Author: Choongwoo Han <cwhan.tunz@gmail.com>
Date: Tue Jan 16 11:55:32 2018

Reland "Optimize TypedArraySpeciesCreate using SpeciesProtector of Array"

If there is no constructor or species updates on Array or TypedArrays,
then skip lookups of constructor and species so that we can create a new
typed array quickly. This path makes TA.p.slice() 2x faster in fast
cases.


Bug:  chromium:800356 , v8:7161
Change-Id: Ied8c90e23ca6708f4a3cec077c1fd733e4a6609e
Reviewed-on: https://chromium-review.googlesource.com/859397
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50617}
[modify] https://crrev.com/3a4f3b73e2f7fb82e1e24cf9be9bcfedf4db65b7/src/lookup.cc
[modify] https://crrev.com/3a4f3b73e2f7fb82e1e24cf9be9bcfedf4db65b7/src/objects.cc
[modify] https://crrev.com/3a4f3b73e2f7fb82e1e24cf9be9bcfedf4db65b7/src/objects/js-array-inl.h
[modify] https://crrev.com/3a4f3b73e2f7fb82e1e24cf9be9bcfedf4db65b7/src/objects/js-array.h
[modify] https://crrev.com/3a4f3b73e2f7fb82e1e24cf9be9bcfedf4db65b7/test/cctest/test-typedarrays.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot