New issue
Advanced search Search tips

Issue 612142 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

!v8::internal::FLAG_enable_slow_asserts || (IsDereferenceAllowed(INCLUDE_DEFERRE

Project Member Reported by ClusterFuzz, May 16 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5611571836878848

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (IsDereferenceAllowed(INCLUDE_DEFERRE
  
Regressed: V8: r35919:35920

Minimized Testcase (6.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96pJkaqDIvLYtl8wOPZtBy4aEcIkV3NSycg1bTarTZyhYqYheyMMsmsv1bFWDK3JvCFyNrxrZ9S8dwMjzDWL2gJNQNWc4opLcoBci2o0-YYdLK2fCBq1O55fqRsvxXSGOqxTtR0Yukl9O-J3P0KV-5gTI0cyw

Filer: jarin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by jarin@chromium.org, May 16 2016

Owner: bmeu...@chromium.org
Status: Assigned (was: Available)
Benedikt, this bisects to the type-nuking CL. Could you take a look?

Comment 2 by jarin@chromium.org, May 17 2016

Smaller repro (run with --enable-slow-asserts --turbo):

for (var i = 0; i < 100; i++) { }
for (var i = 1E-100; i;) { Math.cbrt(i); }
for (var i = 16 | 0 || 0 || this || 1; i;) { Math.cbrt(i); }
Project Member

Comment 3 by bugdroid1@chromium.org, May 18 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/33e571ff4b8210161e20d2484650f64809287f72

commit 33e571ff4b8210161e20d2484650f64809287f72
Author: bmeurer <bmeurer@chromium.org>
Date: Wed May 18 05:36:51 2016

[turbofan] Kill type Guard nodes during effect/control linearization.

These guards are useless anyways once you make it throw the
effect/control linearizer because all memory operations and
calls are connected to the control and/or effect chain anyways
afterwards.

Drive-by-fix: Fail in the InstructionSelector if we ever see
a Guard node.

R=jarin@chromium.org
BUG= chromium:612142 

Review-Url: https://codereview.chromium.org/1980383002
Cr-Commit-Position: refs/heads/master@{#36302}

[modify] https://crrev.com/33e571ff4b8210161e20d2484650f64809287f72/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/33e571ff4b8210161e20d2484650f64809287f72/src/compiler/effect-control-linearizer.h
[modify] https://crrev.com/33e571ff4b8210161e20d2484650f64809287f72/src/compiler/instruction-selector.cc
[modify] https://crrev.com/33e571ff4b8210161e20d2484650f64809287f72/src/compiler/instruction-selector.h
[add] https://crrev.com/33e571ff4b8210161e20d2484650f64809287f72/test/mjsunit/regress/regress-crbug-612142.js

Project Member

Comment 4 by bugdroid1@chromium.org, May 18 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c5a71f029fb554c6a79a9226a99258c12751bd9b

commit c5a71f029fb554c6a79a9226a99258c12751bd9b
Author: bmeurer <bmeurer@chromium.org>
Date: Wed May 18 06:19:10 2016

[turbofan] Turn common Guard operator into simplified TypeGuard.

The type guard should never be used after the effect/control
linearization pass, so making it a simplified operator better
expresses the intended use. Also this way none of the common
operators actually has any dependency on the type system.

Drive-by-fix: Properly print the type parameter to a TypeGuard operator.

BUG= chromium:612142 
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1994503002
Cr-Commit-Position: refs/heads/master@{#36304}

[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/common-operator-reducer.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/common-operator-reducer.h
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/common-operator.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/common-operator.h
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/effect-control-linearizer.h
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/escape-analysis.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/js-intrinsic-lowering.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/js-native-context-specialization.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/load-elimination.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/load-elimination.h
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/opcodes.h
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/pipeline.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/simplified-operator-reducer.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/simplified-operator-reducer.h
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/simplified-operator.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/simplified-operator.h
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/typer.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/verifier.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/test/unittests/compiler/js-intrinsic-lowering-unittest.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/test/unittests/compiler/load-elimination-unittest.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/test/unittests/compiler/node-test-utils.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/test/unittests/compiler/node-test-utils.h

Project Member

Comment 5 by ClusterFuzz, May 18 2016

ClusterFuzz has detected this issue as fixed in range 36301:36302.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5611571836878848

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (IsDereferenceAllowed(INCLUDE_DEFERRE
  
Regressed: V8: r35919:35920
Fixed: V8: r36301:36302

Minimized Testcase (6.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96pJkaqDIvLYtl8wOPZtBy4aEcIkV3NSycg1bTarTZyhYqYheyMMsmsv1bFWDK3JvCFyNrxrZ9S8dwMjzDWL2gJNQNWc4opLcoBci2o0-YYdLK2fCBq1O55fqRsvxXSGOqxTtR0Yukl9O-J3P0KV-5gTI0cyw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Status: Fixed (was: Assigned)

Comment 7 by jarin@chromium.org, May 23 2016

Labels: Merge-Request-52

Comment 8 by tin...@google.com, May 23 2016

Labels: -Merge-Request-52 Merge-Review-52 Hotlist-Merge-Review
[Automated comment] Commit may have occurred before M52 branch point (5/19/2016), needs manual review.

Comment 9 by jarin@chromium.org, May 23 2016

Labels: -Hotlist-Merge-review -Merge-Review-52
Actually, no merge is necessary, the fix is already in M52.
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment