Int64Constant of kRepWord64 (Internal) cannot be changed to kRepTagged in src/co |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4987582715002880 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: Int64Constant of kRepWord64 (Internal) cannot be changed to kRepTagged in src/co Regressed: V8: r35498:35499 Minimized Testcase (7.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95DFlAjGOlbkbmR00oVkkI8ejH3HEUkYyepvVV5YGk9anDJmzdGEgSyB41E-OSWtB9XcZqyFzS7-9vdEqxOQdPk0GFkwGGC3sOk4U3ttVaOFlzx6QC4QuAiRwOGtkxao7TlHcZDe1-rczTqrIedwErJXTcBDw Additional requirements: Requires Gestures Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 20 2016
Seems to be 64-bit only and requires disabling of of variable liveness analysis. Minimized repro ...
// Flags: --allow-natives-syntax --turbo-escape --noanalyze-environment-liveness
function f() {
var bound = 0;
function g() { return bound }
}
f();
f();
%OptimizeFunctionOnNextCall(f);
f();
,
May 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/dbd7d5a59f85ff2fd2a06e9377757d2dd6dce45c commit dbd7d5a59f85ff2fd2a06e9377757d2dd6dce45c Author: mstarzinger <mstarzinger@chromium.org> Date: Mon May 23 10:39:24 2016 [turbofan] Skip data-flow analysis of code entry field. This makes escape analysis skip analyzing the code entry field within JSFunction objects. Said field is an untagged pointer field and hence cannot be tracked by an ObjectState node. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-613494 BUG= chromium:613494 Review-Url: https://codereview.chromium.org/1997353002 Cr-Commit-Position: refs/heads/master@{#36436} [modify] https://crrev.com/dbd7d5a59f85ff2fd2a06e9377757d2dd6dce45c/src/compiler/escape-analysis.cc [modify] https://crrev.com/dbd7d5a59f85ff2fd2a06e9377757d2dd6dce45c/src/compiler/escape-analysis.h [add] https://crrev.com/dbd7d5a59f85ff2fd2a06e9377757d2dd6dce45c/test/mjsunit/regress/regress-crbug-613494.js
,
May 23 2016
Issue 613568 has been merged into this issue.
,
May 27 2016
,
Jul 28 2016
ClusterFuzz has detected this issue as fixed in range 36435:36436. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4987582715002880 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: Int64Constant of kRepWord64 (Internal) cannot be changed to kRepTagged in src/co Fixed: V8: r36435:36436 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv979X1SPALtQFeefg9CIztnIjl8mvSSGQaVvmn1jQczpM41NcGAFg_PsCz30mLdvNT6JpYEZ4zJoLC4HNLGpHcREY2Xxa_vxZzJ87toYnUcmFB1SOBxD2FN68z86DWEgYkKk1Q2QstMLtzifP59ncjOUOvk4Iw?testcase_id=4987582715002880 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 28 2016
ClusterFuzz has detected this issue as fixed in range 36435:36436. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4987582715002880 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: Int64Constant of kRepWord64 (Internal) cannot be changed to kRepTagged in src/co Fixed: V8: r36435:36436 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv979X1SPALtQFeefg9CIztnIjl8mvSSGQaVvmn1jQczpM41NcGAFg_PsCz30mLdvNT6JpYEZ4zJoLC4HNLGpHcREY2Xxa_vxZzJ87toYnUcmFB1SOBxD2FN68z86DWEgYkKk1Q2QstMLtzifP59ncjOUOvk4Iw?testcase_id=4987582715002880 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 28 2016
ClusterFuzz has detected this issue as fixed in range 36435:36436. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4987582715002880 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: Int64Constant of kRepWord64 (Internal) cannot be changed to kRepTagged in src/co Fixed: V8: r36435:36436 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv979X1SPALtQFeefg9CIztnIjl8mvSSGQaVvmn1jQczpM41NcGAFg_PsCz30mLdvNT6JpYEZ4zJoLC4HNLGpHcREY2Xxa_vxZzJ87toYnUcmFB1SOBxD2FN68z86DWEgYkKk1Q2QstMLtzifP59ncjOUOvk4Iw?testcase_id=4987582715002880 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 28 2016
ClusterFuzz has detected this issue as fixed in range 36435:36436. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4987582715002880 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: Int64Constant of kRepWord64 (Internal) cannot be changed to kRepTagged in src/co Fixed: V8: r36435:36436 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv979X1SPALtQFeefg9CIztnIjl8mvSSGQaVvmn1jQczpM41NcGAFg_PsCz30mLdvNT6JpYEZ4zJoLC4HNLGpHcREY2Xxa_vxZzJ87toYnUcmFB1SOBxD2FN68z86DWEgYkKk1Q2QstMLtzifP59ncjOUOvk4Iw?testcase_id=4987582715002880 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 28 2016
ClusterFuzz has detected this issue as fixed in range 36435:36436. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4987582715002880 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: Int64Constant of kRepWord64 (Internal) cannot be changed to kRepTagged in src/co Fixed: V8: r36435:36436 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv979X1SPALtQFeefg9CIztnIjl8mvSSGQaVvmn1jQczpM41NcGAFg_PsCz30mLdvNT6JpYEZ4zJoLC4HNLGpHcREY2Xxa_vxZzJ87toYnUcmFB1SOBxD2FN68z86DWEgYkKk1Q2QstMLtzifP59ncjOUOvk4Iw?testcase_id=4987582715002880 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mstarzinger@chromium.org
, May 20 2016Status: Assigned (was: Available)