Ill in v8::internal::Object::NoSideEffectsToString |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5711829255585792 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Ill Crash Address: 0x562371d8b4f3 Crash State: v8::internal::Object::NoSideEffectsToString v8::internal::ErrorUtils::MakeGenericError v8::internal::Factory::NewError Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=55268:55269 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5711829255585792 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 22
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/bf1e47e6ff10734045b2d6a501da49d20980f742 ([ptr-compr] Switch Smis to 31-bit on 64-bit platforms.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Aug 22
This test creates a BigInt whose string representation is longer than the max string length when Smis are 31-bits. So Object::ToString() throws and this assertion fails: https://cs.chromium.org/chromium/src/v8/src/objects.cc?q=file:objects.cc&sq=package:chromium&g=0&l=368 Reproduces on 32-bit architectures.
,
Aug 24
ClusterFuzz has detected this issue as fixed in range 55332:55333. Detailed report: https://clusterfuzz.com/testcase?key=5711829255585792 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Ill Crash Address: 0x562371d8b4f3 Crash State: v8::internal::Object::NoSideEffectsToString v8::internal::ErrorUtils::MakeGenericError v8::internal::Factory::NewError Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=55268:55269 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=55332:55333 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5711829255585792 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 24
ClusterFuzz testcase 5711829255585792 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 24
31-bit smis were reverted and CF is happy now but the Object::NoSideEffectsToString() issue is still there.
,
Aug 29
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/9d493179d85b2030185b8987a9fef1adeef148c2 commit 9d493179d85b2030185b8987a9fef1adeef148c2 Author: Jakob Kummerow <jkummerow@chromium.org> Date: Wed Aug 29 13:45:28 2018 [bigint] Fix NoSideEffectsToString for 32-bit platforms On 32-bit platforms, String::kMaxLength is such that not all BigInts can be converted to Strings. NoSideEffectsToString, however, used to assume that this conversion always succeeds. This patch adds a check for the failure case, and returns "<a very large BigInt>" instead of crashing. This change is practically unobservable, because actually formatting such a huge BigInt to String would take "forever", which is also why there is no regression test. Bug: chromium:876628 Change-Id: I1eacdc1cce753ac5d9ca66e61e479043ab576e07 Reviewed-on: https://chromium-review.googlesource.com/1194004 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#55491} [modify] https://crrev.com/9d493179d85b2030185b8987a9fef1adeef148c2/src/objects.cc [modify] https://crrev.com/9d493179d85b2030185b8987a9fef1adeef148c2/src/objects/bigint.cc [modify] https://crrev.com/9d493179d85b2030185b8987a9fef1adeef148c2/src/objects/bigint.h
,
Aug 29
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Aug 22Labels: Test-Predator-Auto-Components