New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Last visit 16 days ago
Closed: Dec 14
Cc:
Components:
HW: All
NextAction: ----
OS: All
Priority: 1
Type: Bug



Sign in to add a comment
link

Issue 7773: Hard Crash: Check Failure in Runtime_InternalSetPrototype

Reported by june901...@gmail.com, May 21 2018

Issue description

Version: 6.6.346.32
OS: Ubuntu 16.04.3 LTS
Architecture: x64

What steps will reproduce the problem?
1. run a poc.js

What is the expected output?
maybe throws stringify(?) result.

What do you see instead?
Check Failure

$ ~/v8/out.gn/x64.release/d8 poc.js
#
# Fatal error in , line 0
# Check failed: *function_map == function->map().
#
#
#
#FailureMessage Object: 0x7ffe2d5cdbc0
==== C stack trace ===============================

    /v8/out.gn/x64.release/d8(+0x9c93a3) [0x55b0b27693a3]
    /v8/out.gn/x64.release/d8(+0x9c896b) [0x55b0b276896b]
    /v8/out.gn/x64.release/d8(+0x9c4998) [0x55b0b2764998]
    /v8/out.gn/x64.release/d8(+0x7ddb90) [0x55b0b257db90]
    [0x3fb81fc06538]
Received signal 4 ILL_ILLOPN 55b0b2766c52
 
poc.js
33 bytes View Download

Comment 1 by gsat...@chromium.org, May 22 2018

Components: Runtime
Labels: HW-All OS-All Priority-1
Owner: cbruni@chromium.org
Status: Assigned (was: Untriaged)
I can repro on Chrome 68. Assigning to cbruni@ to take a look.

Comment 2 by neis@chromium.org, May 24 2018

Cc: ishell@chromium.org
Adding Igor too, since he wrote the check. The check seems to assert that calling setting the function name doesn't change the map.

Comment 3 by cbruni@chromium.org, May 24 2018

Status: Started (was: Assigned)

Comment 4 by neis@chromium.org, Jul 21 2018

 Issue 7967  has been merged into this issue.

Comment 5 by cbruni@chromium.org, Dec 7

Not security critical since this is a hard release crash.

Comment 6 by bugdroid1@chromium.org, Dec 14

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/fb434f1c6cefce932542343ff096719e10d4e8ed

commit fb434f1c6cefce932542343ff096719e10d4e8ed
Author: Camillo Bruni <cbruni@chromium.org>
Date: Fri Dec 14 12:06:04 2018

[runtime] Fix Runtime_InternalSetPrototype

Do not set the name property on any function or classes. This is not
required as per spec #sec-__proto__-property-names-in-object-initializers.

Bug:  v8:7773 
Change-Id: Iade96573690e5b14b60434c37683f782cf9cb2cb
Reviewed-on: https://chromium-review.googlesource.com/c/1375912
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58239}
[modify] https://crrev.com/fb434f1c6cefce932542343ff096719e10d4e8ed/src/runtime/runtime-object.cc
[modify] https://crrev.com/fb434f1c6cefce932542343ff096719e10d4e8ed/test/mjsunit/es6/classes.js
[add] https://crrev.com/fb434f1c6cefce932542343ff096719e10d4e8ed/test/mjsunit/regress/regress-7773.js

Comment 7 by cbruni@chromium.org, Dec 14

Status: Fixed (was: Started)

Sign in to add a comment