DCHECK failure in IsFixedArrayWithProgressBar(obj) || obj->IsJSObject() || obj->IsString() in incr |
||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6249957991645184 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8_dbg Platform Id: windows Crash Type: DCHECK failure Crash Address: Crash State: IsFixedArrayWithProgressBar(obj) || obj->IsJSObject() || obj->IsString() in incr v8::platform::PrintStackTrace v8::internal::IncrementalMarking::VisitObject Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=50557:50558 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6249957991645184 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 16 2018
,
Jan 16 2018
My change only removed a runtime flag that was always-on, which seems to have perturbed some existing bug in incremental marking. I don't know enough about incremental marking to reasonably evaluate this report, though.
,
Jan 17 2018
,
Jan 17 2018
,
Jan 17 2018
This also reproduces on linux, for different values of --gc-interval. I will start a local bisect.
,
Jan 17 2018
Bisects to 7cdfb6df23883f788ea691f02c70f256f8375f4f ([ic] Introduce proper StoreGlobalIC dispatcher.). Reproduces with --gc-interval=130. Before that CL, does not reproduce with any interval between 0 and 1000 (tested all multiples of 10).
,
Jan 17 2018
,
Jan 20 2018
,
Jan 21 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 22 2018
,
Jan 22 2018
It looks like the check which is failing is in sync with recent deoptimizer changes. Assigning to Ulan.
,
Jan 22 2018
The DCHECK is not precise and has to be fixed.
,
Jan 22 2018
,
Jan 23 2018
,
Jan 26 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6551719630c85d91f93378921f67a5c12d5d2328 commit 6551719630c85d91f93378921f67a5c12d5d2328 Author: Ulan Degenbaev <ulan@chromium.org> Date: Fri Jan 26 13:29:58 2018 [heap] Fix assertion in IncrementalMarking::VisitObject. Bug: chromium:802300 Change-Id: I187f72eda80ae7d6a705361bdd36e79196f51293 Reviewed-on: https://chromium-review.googlesource.com/888743 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#50897} [modify] https://crrev.com/6551719630c85d91f93378921f67a5c12d5d2328/src/heap/incremental-marking.cc
,
Jan 30 2018
ClusterFuzz testcase 6249957991645184 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 31 2018
It was fixed.
,
Feb 8 2018
,
May 9 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||
Comment 1 by ClusterFuzz
, Jan 16 2018Owner: adamk@chromium.org
Status: Assigned (was: Untriaged)