New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 18
Cc:
HW: ----
NextAction: ----
OS: ----
Priority: 1
Type: Bug



Sign in to add a comment
link

Issue 8607: Dcheck on jsfunfuzz

Reported by machenb...@chromium.org, Dec 18 Project Member

Issue description

See:
https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Fuzzer/28627

# Fatal error in ../../src/interpreter/bytecode-generator.cc, line 2947
# Debug check failed: expr->target()->IsValidReferenceExpression() || (expr->op() == Token::INIT && expr->target()->IsVariableProxy() && expr->target()->AsVariableProxy()->is_this()).
#
#
#
#FailureMessage Object: 0x7ffda255ea20
==== C stack trace ===============================

    /b/s/w/ir/out/Debug/./libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x13) [0x7fd26776e383]
    /b/s/w/ir/out/Debug/./libv8_libplatform.so(+0x1051b) [0x7fd26774151b]
    /b/s/w/ir/out/Debug/./libv8_libbase.so(V8_Fatal(char const*, int, char const*, ...)+0x148) [0x7fd2677651e8]
    /b/s/w/ir/out/Debug/./libv8_libbase.so(+0x19f55) [0x7fd267764f55]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::interpreter::BytecodeGenerator::VisitAssignment(v8::internal::Assignment*)+0xd7e) [0x7fd2667bad7e]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::interpreter::BytecodeGenerator::VisitNoStackOverflowCheck(v8::internal::AstNode*)+0x8e) [0x7fd2667c53fe]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::interpreter::BytecodeGenerator::VisitExpressionStatement(v8::internal::ExpressionStatement*)+0x92) [0x7fd2667aeec2]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::interpreter::BytecodeGenerator::VisitNoStackOverflowCheck(v8::internal::AstNode*)+0x2ea) [0x7fd2667c565a]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::interpreter::BytecodeGenerator::VisitStatements(v8::internal::ZoneList<v8::internal::Statement*> const*)+0x57) [0x7fd2667ac937]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::interpreter::BytecodeGenerator::VisitBlock(v8::internal::Block*)+0x42e) [0x7fd2667acfbe]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::interpreter::BytecodeGenerator::VisitNoStackOverflowCheck(v8::internal::AstNode*)+0x2c7) [0x7fd2667c5637]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::interpreter::BytecodeGenerator::VisitTryCatchStatement(v8::internal::TryCatchStatement*)+0x146) [0x7fd2667b27f6]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::interpreter::BytecodeGenerator::VisitNoStackOverflowCheck(v8::internal::AstNode*)+0x81c) [0x7fd2667c5b8c]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::interpreter::BytecodeGenerator::VisitStatements(v8::internal::ZoneList<v8::internal::Statement*> const*)+0x57) [0x7fd2667ac937]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::interpreter::BytecodeGenerator::VisitBlock(v8::internal::Block*)+0x42e) [0x7fd2667acfbe]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::interpreter::BytecodeGenerator::VisitNoStackOverflowCheck(v8::internal::AstNode*)+0x2c7) [0x7fd2667c5637]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::interpreter::BytecodeGenerator::VisitTryFinallyStatement(v8::internal::TryFinallyStatement*)+0x245) [0x7fd2667b2c55]
 

Comment 1 by machenb...@chromium.org, Dec 18

Cc: mslekova@chromium.org

Comment 2 by verwa...@chromium.org, Dec 18

Owner: verwa...@chromium.org
Status: Assigned (was: Untriaged)
Shorter version:

[({ p: this }), [][0]] = x;

Comment 3 by bugdroid1@chromium.org, Dec 18

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/81a11c173b2ea7944d8252f15c5f3b0a8a519ffc

commit 81a11c173b2ea7944d8252f15c5f3b0a8a519ffc
Author: Toon Verwaest <verwaest@chromium.org>
Date: Tue Dec 18 17:52:10 2018

[parser] Fix late-checked destructuring pattern followed by property

Otherwise the error would have been dropped between the previous
accumulate and the subsequent ValidateExpression.

Bug:  v8:8607 
Change-Id: I29f5d5b6887b57f4b70369ba370fe0b44b1d6798
Reviewed-on: https://chromium-review.googlesource.com/c/1382744
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58339}
[modify] https://crrev.com/81a11c173b2ea7944d8252f15c5f3b0a8a519ffc/src/parsing/parser-base.h
[add] https://crrev.com/81a11c173b2ea7944d8252f15c5f3b0a8a519ffc/test/mjsunit/regress/regress-8607.js

Comment 4 by machenb...@chromium.org, Dec 18

Is this a different error?
https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Fuzzer/28638

Torture!!!
count=9453; tryItOut("let(x, [, , 0x99, , \u3056.prop] = (this.__defineSetter__(\"constructor\", function  \u3056 (functional) { return (\nwindow) } ))) ((function(){throw StopIteration;})());");


#
# Fatal error in ../../src/parsing/pattern-rewriter.cc, line 730
# unreachable code
#
#
#
#FailureMessage Object: 0x7ffc17533fa0
==== C stack trace ===============================

    /b/s/w/ir/out/Debug/./libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x13) [0x7f296c9d6383]
    /b/s/w/ir/out/Debug/./libv8_libplatform.so(+0x1051b) [0x7f296c9a951b]
    /b/s/w/ir/out/Debug/./libv8_libbase.so(V8_Fatal(char const*, int, char const*, ...)+0x148) [0x7f296c9cd1e8]
    /b/s/w/ir/out/Debug/./libv8.so(+0x108e05e) [0x7f296bc7e05e]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::PatternRewriter::Visit(v8::internal::AstNode*)+0x1da) [0x7f296bc7b13a]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::PatternRewriter::VisitArrayLiteral(v8::internal::ArrayLiteral*, v8::internal::Variable**)+0xe75) [0x7f296bc7c545]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::PatternRewriter::Rewrite(v8::internal::Assignment*)+0x122) [0x7f296bc7a452]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::Parser::RewriteDestructuringAssignment(v8::internal::RewritableExpression*)+0x89) [0x7f296bc7a0b9]
    /b/s/w/ir/out/Debug/./libv8.so(v8::internal::Parser::RewriteDestructuringAssignments()+0x129) [0x7f296bc4be79]

Comment 5 by verwa...@chromium.org, Dec 18

It's the same.

Comment 6 by bugdroid1@chromium.org, Dec 18

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5c0e5a5b56be869b0bfe2ba400d81447a151b17a

commit 5c0e5a5b56be869b0bfe2ba400d81447a151b17a
Author: Toon Verwaest <verwaest@chromium.org>
Date: Tue Dec 18 20:10:36 2018

[parser] Fix late-checked destructuring pattern followed by property (2)

Now just accumulate right before we might validate a property and once we're
done, so we're guaranteed to catch all PatternErrors.

Bug:  v8:8607 
Change-Id: Ibc5bc7773756f4827868ca01d0f9fb0c5545e59b
Reviewed-on: https://chromium-review.googlesource.com/c/1382749
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58343}
[modify] https://crrev.com/5c0e5a5b56be869b0bfe2ba400d81447a151b17a/src/parsing/expression-scope.h
[modify] https://crrev.com/5c0e5a5b56be869b0bfe2ba400d81447a151b17a/src/parsing/parser-base.h
[modify] https://crrev.com/5c0e5a5b56be869b0bfe2ba400d81447a151b17a/test/mjsunit/regress/regress-8607.js

Comment 7 by verwa...@chromium.org, Dec 18

Status: Fixed (was: Assigned)

Sign in to add a comment