Status: Accepted
Owner: [email protected]
CC: [email protected]
Labels: Type-Bug Priority-Medium OS-Linux
New issue 3687 by [email protected]: Crash in GeneralizeRepresentation
https://code.google.com/p/v8/issues/detail?id=3687
Run this fuzzed code in d8 debug mode:
x=0; x2=0; y=0; [({ x: ({ x: ({ x: ({ functional: x2, window: [, , ({ x: x2
}), y, ] }), x2: ({ x: [], x: ({ x: [, ({ x: ({ x1: NaN, x: x }) })], x2:
x.__parent__ }) }) }), NaN: x4 }), x3: x }), , , (functional), NaN]
It causes:
#
# Fatal error in ../src/objects.cc, line 2575
# CHECK(target_descriptors->GetDetails(modify_index).type() != FIELD ||
new_field_type->NowIs( target_descriptors->GetFieldType(modify_index)))
failed
#
==== C stack trace ===============================
1: V8_Fatal
2:
v8::internal::Map::GeneralizeRepresentation(v8::internal::Handle<v8::internal::Map>,
int, v8::internal::Representation,
v8::internal::Handle<v8::internal::TypeImpl<v8::internal::HeapTypeConfig>
, v8::internal::StoreMode)
3:
v8::internal::Map::PrepareForDataProperty(v8::internal::Handle<v8::internal::Map>,
int, v8::internal::Handle<v8::internal::Object>)
4:
v8::internal::LookupIterator::PrepareForDataProperty(v8::internal::Handle<v8::internal::Object>)
5: v8::internal::Object::SetDataProperty(v8::internal::LookupIterator*,
v8::internal::Handle<v8::internal::Object>)
6: v8::internal::Object::SetProperty(v8::internal::LookupIterator*,
v8::internal::Handle<v8::internal::Object>, v8::internal::StrictMode,
v8::internal::Object::StoreFromKeyed,
v8::internal::Object::StorePropertyMode)
7:
v8::internal::StoreIC::Store(v8::internal::Handle<v8::internal::Object>,
v8::internal::Handle<v8::internal::Name>,
v8::internal::Handle<v8::internal::Object>,
v8::internal::Object::StoreFromKeyed)
8: ??
9: v8::internal::StoreIC_Miss(int, v8::internal::Object**,
v8::internal::Isolate*)
10: ??
11: ??
12: ??
13: ??
14: ??
15: v8::internal::Execution::Call(v8::internal::Isolate*,
v8::internal::Handle<v8::internal::Object>,
v8::internal::Handle<v8::internal::Object>, int,
v8::internal::Handle<v8::internal::Object>*, bool)
16: v8::Script::Run()
17: v8::Shell::ExecuteString(v8::Isolate*, v8::Handle<v8::String>,
v8::Handle<v8::Value>, bool, bool)
18: v8::Shell::RunShell(v8::Isolate*)
19: v8::Shell::Main(int, char**)
20: main
21: __libc_start_main
rlwrap: warning: d8 killed by SIGILL (core dumped).
rlwrap has not crashed, but for transparency,
it will now kill itself with the same signal
Illegal instruction (core dumped)
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
