New issue
Advanced search Search tips

Issue 813450 link

Starred by 2 users
Status: Verified
Owner:
cbruni@chromium.org
Closed: Feb 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Ill in v8::internal::Runtime_AllocateInNewSpace

Project Member Reported by ClusterFuzz, Feb 19 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5657872911040512

Fuzzer: ochang_js_fuzzer
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: Ill
Crash Address: 0x7f34e1fc6312
Crash State:
  v8::internal::Runtime_AllocateInNewSpace
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=51276:51277

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5657872911040512

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Feb 19 2018

Labels: Test-Predator-Auto-Owner
Owner: cbruni@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/52b3b491a55f5f3233ca78e0c22c37384b92670e ([errors] Use FATAL macro where possible).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 2 by bugdroid1@chromium.org, Feb 27 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c7d01c42ed387dff44d0841205465f6572158228

commit c7d01c42ed387dff44d0841205465f6572158228
Author: Camillo Bruni <cbruni@chromium.org>
Date: Tue Feb 27 14:41:08 2018

[proxies] Use write barriers for Proxy [[Construct]] arguments

The number of arguments passed on the stack might exceed the regular
object size limits. Hence we need to emit write barriers when copying
the arguments from the stack into the allocated array.

Bug:  chromium:813450 
Change-Id: I829c5c32b1a7b5f4ddb01cc6ea92f85ab47126aa
Reviewed-on: https://chromium-review.googlesource.com/939174
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51603}
[modify] https://crrev.com/c7d01c42ed387dff44d0841205465f6572158228/src/builtins/builtins-proxy-gen.cc
[modify] https://crrev.com/c7d01c42ed387dff44d0841205465f6572158228/src/code-stub-assembler.cc
[modify] https://crrev.com/c7d01c42ed387dff44d0841205465f6572158228/src/code-stub-assembler.h
[add] https://crrev.com/c7d01c42ed387dff44d0841205465f6572158228/test/mjsunit/regress/regress-crbug-813450.js
Project Member

Comment 3 by ClusterFuzz, Feb 28 2018 

ClusterFuzz has detected this issue as fixed in range 51602:51603.

Detailed report: https://clusterfuzz.com/testcase?key=5657872911040512

Fuzzer: ochang_js_fuzzer
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: Ill
Crash Address: 0x7f34e1fc6312
Crash State:
  v8::internal::Runtime_AllocateInNewSpace
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=51276:51277
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=51602:51603

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5657872911040512

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Feb 28 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5657872911040512 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment