New issue
Advanced search Search tips

Issue 612412 link

Starred by 0 users
Status: Verified
Owner:
danno@chromium.org
Closed: Jun 2016
Cc:
ishell@chromium.org
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

OperatorProperties::GetTotalInputCount(node->op()) == node->InputCount() in src/

Project Member Reported by ClusterFuzz, May 17 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5864690634194944

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  OperatorProperties::GetTotalInputCount(node->op()) == node->InputCount() in src/
  
Regressed: V8: r35962:35963

Minimized Testcase (5.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95oMk_gwE_JujJdaFF9BvfvU2e6QYGsayX0wl_mUVtLNMfKJDMDYf9uYzMsRMALkaRuPOv__E19tbGhwMO8F2C3e8E-WG_4rYtjPl7yD6wmTLyDS3SDiraQ-rhZ7K0XL_EQQR8MHWjky1rNIx9aBq1sSkJjNQ

Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mstarzinger@chromium.org, May 17 2016

Owner: danno@chromium.org
Status: Assigned (was: Available)
Bisects to fa570e55b623c74245945e3bdda042df1bf6a196, reproduces as follows ...

$ git checkout fa570e55b623c74245945e3bdda042df1bf6a196
$ make -j1000 ia32.debug
$ ./out/ia32.debug/d8 ./test/mjsunit/mjsunit.js ~/Downloads/ClusterFuzz/5864690634194944/mutant1019_regress-469605b.js

#
# Fatal error in ../src/compiler/verifier.cc, line 1314
# Check failed: OperatorProperties::GetTotalInputCount(node->op()) == node->InputCount() (9 vs. 8).
#

==== C stack trace ===============================

 1: V8_Fatal
 2: v8::internal::compiler::Verifier::VerifyNode(v8::internal::compiler::Node*)
 3: v8::internal::compiler::NodeProperties::ChangeOp(v8::internal::compiler::Node*, v8::internal::compiler::Operator const*)
 4: v8::internal::compiler::JSGenericLowering::LowerJSCreateArray(v8::internal::compiler::Node*)
 5: v8::internal::compiler::JSGenericLowering::Reduce(v8::internal::compiler::Node*)
 6: v8::internal::compiler::GraphReducer::Reduce(v8::internal::compiler::Node*)
 7: v8::internal::compiler::GraphReducer::ReduceTop()
 8: v8::internal::compiler::GraphReducer::ReduceNode(v8::internal::compiler::Node*)
 9: v8::internal::compiler::GraphReducer::ReduceGraph()
10: v8::internal::compiler::EarlyOptimizationPhase::Run(v8::internal::compiler::PipelineData*, v8::internal::Zone*)
11: void v8::internal::compiler::PipelineImpl::Run<v8::internal::compiler::EarlyOptimizationPhase>()
12: v8::internal::compiler::PipelineImpl::CreateGraph()
13: v8::internal::compiler::PipelineCompilationJob::CreateGraphImpl()
14: v8::internal::CompilationJob::CreateGraph()
15: 0x8bc0f91
16: 0x8bb8177
17: v8::internal::Compiler::GetOptimizedCodeForOSR(v8::internal::Handle<v8::internal::JSFunction>, v8::internal::BailoutId, v8::internal::JavaScriptFrame*)
18: 0x953085e
19: v8::internal::Runtime_CompileForOnStackReplacement(int, v8::internal::Object**, v8::internal::Isolate*)
20: 0x26b0be7e
21: 0x26b3d61d
22: 0x26b523b7
23: 0x26b532e2
24: 0x26b51b7a
25: 0x26b0bff6
26: 0x26b51773
27: 0x26b3c91e
28: 0x26b141e3
29: 0x8d7fff4
30: v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*)
31: v8::Script::Run(v8::Local<v8::Context>)
32: v8::Shell::ExecuteString(v8::Isolate*, v8::Local<v8::String>, v8::Local<v8::Value>, bool, bool, v8::Shell::SourceType)
33: v8::SourceGroup::Execute(v8::Isolate*)
34: v8::Shell::RunMain(v8::Isolate*, int, char**, bool)
35: v8::Shell::Main(int, char**)
36: main
37: __libc_start_main
Illegal instruction (core dumped)
Project Member

Comment 2 by bugdroid1@chromium.org, May 23 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f43aa0bc6c38d23717b09bd0339f95e5a6afae5b

commit f43aa0bc6c38d23717b09bd0339f95e5a6afae5b
Author: danno <danno@chromium.org>
Date: Mon May 23 16:42:55 2016

[turbofan] Correctly call ArrayNoArgumentConstructor stub from TF code

BUG= chromium:612412 
LOG=N

Review-Url: https://codereview.chromium.org/1999783004
Cr-Commit-Position: refs/heads/master@{#36448}

[modify] https://crrev.com/f43aa0bc6c38d23717b09bd0339f95e5a6afae5b/src/compiler/js-generic-lowering.cc
[add] https://crrev.com/f43aa0bc6c38d23717b09bd0339f95e5a6afae5b/test/mjsunit/regress/regress-612412.js
Project Member

Comment 3 by ClusterFuzz, May 24 2016 

ClusterFuzz has detected this issue as fixed in range 36447:36448.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5864690634194944

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  OperatorProperties::GetTotalInputCount(node->op()) == node->InputCount() in src/
  
Regressed: V8: r35962:35963
Fixed: V8: r36447:36448

Minimized Testcase (5.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95oMk_gwE_JujJdaFF9BvfvU2e6QYGsayX0wl_mUVtLNMfKJDMDYf9uYzMsRMALkaRuPOv__E19tbGhwMO8F2C3e8E-WG_4rYtjPl7yD6wmTLyDS3SDiraQ-rhZ7K0XL_EQQR8MHWjky1rNIx9aBq1sSkJjNQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Jun 14 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment