Null-dereference READ in Get |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5161302415376384 Fuzzer: mbarbella_js_mutation Job Type: linux_cfi_d8 Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: Get Get IsLive Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=48892:48893 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5161302415376384 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Feb 24 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/343bf6f3ff10f1d4c73bc6af8942784a587d26c8 ([turbofan] Bump control/effect input count size to 32 bits.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Feb 26 2018
This is a problem with --always-opt forcing optimization for functions that are too big. This cannot happen in production (without --always-opt).
,
Feb 26 2018
,
Feb 27 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/8c1234861c5829ec306cf19625741de48e5eec7d commit 8c1234861c5829ec306cf19625741de48e5eec7d Author: Jaroslav Sevcik <jarin@chromium.org> Date: Tue Feb 27 13:22:53 2018 [turbofan] Bailout from optimizations for large bytecode sizes (>128kB). Turbofan can only handle 64K control inputs for merges. Such large can only be created by functions with 64K jumps, so we limit the bytecode size to the minimum size of bytecode arrays with 64K jumps. Bug: chromium:815392 , v8:7438 Change-Id: I674705e87e19ce451b40d5827c9fe3e6ec17293a Reviewed-on: https://chromium-review.googlesource.com/938421 Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#51598} [modify] https://crrev.com/8c1234861c5829ec306cf19625741de48e5eec7d/src/bailout-reason.h [modify] https://crrev.com/8c1234861c5829ec306cf19625741de48e5eec7d/src/compiler/pipeline.cc [add] https://crrev.com/8c1234861c5829ec306cf19625741de48e5eec7d/test/mjsunit/compiler/regress-815392.js
,
Feb 28 2018
ClusterFuzz has detected this issue as fixed in range 51597:51598. Detailed report: https://clusterfuzz.com/testcase?key=5161302415376384 Fuzzer: mbarbella_js_mutation Job Type: linux_cfi_d8 Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: Get Get IsLive Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=48892:48893 Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=51597:51598 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5161302415376384 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 28 2018
ClusterFuzz testcase 5161302415376384 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Feb 24 2018Labels: Test-Predator-Auto-Components