Ill in v8::internal::Isolate::PushStackTraceAndDie |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5450342827032576 Fuzzer: lokihardt_jshitter Job Type: linux_asan_d8 Platform Id: linux Crash Type: Ill Crash Address: 0x55b8a06aad78 Crash State: v8::internal::Isolate::PushStackTraceAndDie v8::internal::LookupIterator::GetRootForNonJSReceiver v8::internal::LookupIterator::LookupIterator Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=56942:56943 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5450342827032576 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 8
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/5bf9e470f8290dde983797e695e5156374d81962 commit 5bf9e470f8290dde983797e695e5156374d81962 Author: Toon Verwaest <verwaest@chromium.org> Date: Thu Nov 08 14:42:35 2018 [parser] Fix cover-grammar initializer positions Since we use a ScopedPtrList to track cover grammar expressions we don't know the position of the commas anymore. The position of the commas was used to demark the initializer, which is needed to figure out whether we need hole checks for variable references. (Typically only references within the initializer need hole checks for the initialized variable.) Since we didn't have the comma position, we simply used the position of the first expression as the position of any subsequent comma, which would make it seem as if the initializer body wasn't in the initializer. Now instead we simply use the position of the subsequent parameter as the end of the initializer, which is close enough. Bug: chromium:902810 Change-Id: I8d2bc7a2dc9f59db16ce56ccef01e263a18a3b7a Reviewed-on: https://chromium-review.googlesource.com/c/1326022 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#57357} [modify] https://crrev.com/5bf9e470f8290dde983797e695e5156374d81962/src/parsing/parser.cc [add] https://crrev.com/5bf9e470f8290dde983797e695e5156374d81962/test/mjsunit/regress/regress-902810.js
,
Nov 9
ClusterFuzz has detected this issue as fixed in range 57356:57357. Detailed report: https://clusterfuzz.com/testcase?key=5450342827032576 Fuzzer: lokihardt_jshitter Job Type: linux_asan_d8 Platform Id: linux Crash Type: Ill Crash Address: 0x55b8a06aad78 Crash State: v8::internal::Isolate::PushStackTraceAndDie v8::internal::LookupIterator::GetRootForNonJSReceiver v8::internal::LookupIterator::LookupIterator Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=56942:56943 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=57356:57357 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5450342827032576 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 9
ClusterFuzz testcase 5450342827032576 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 8
+cc lokihardt@ who is the author of this fuzzer. |
|||
►
Sign in to add a comment |
|||
Comment 1 by ClusterFuzz
, Nov 7Owner: verwa...@chromium.org
Status: Assigned (was: Untriaged)