New issue
Advanced search Search tips

Issue 630611 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jul 2016
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Phi of kMachNone (None) cannot be changed to kRepTagged in representation-change

Project Member Reported by ClusterFuzz, Jul 22 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5287459936272384

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Phi of kMachNone (None) cannot be changed to kRepTagged in representation-change
  
Regressed: V8: r37695:37708

Minimized Testcase (0.36 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97JgzZKUrAvcQP7ALdZSyP8SqCkqRp9arnLf5CWva_bEySmP8Fd_uy1dqXQgnhWtAEn920ueNA58Op3B8HqeHmudcUrjmiJodaIdHLES_PRAZ5QKza0ia5Axe1eiCd7Vm0f-ZXIk_bi2dyyp6fFsqs4AqHWJA?testcase_id=5287459936272384
var __v_9 = {};
var __v_13 = 1073741824;
function __f_8() {
}
function __f_10() {
}
function __f_2() {
}
__v_4 =
    [, __f_8, __f_10, __f_2];
for (var __v_1 = 0; __v_1 < __v_4.length; __v_1++) {
  gc();
}
try {
} catch(e) {; }
__v_13 = 10000;
(function __f_14() {
  __v_13 = __v_9;
  for (var __v_15 = __v_13; __v_15 > 0; __v_15 -= 2) {
    delete __v_14[__v_15];
  }
})()


Filer: jarin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by bugdroid1@chromium.org, Jul 25 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a81d19d583baea17ea0aa70609c17ad18ce3f269

commit a81d19d583baea17ea0aa70609c17ad18ce3f269
Author: jarin <jarin@chromium.org>
Date: Mon Jul 25 04:00:16 2016

[turbofan] Handle impossible types (Type::None()) in the backend.

BUG= chromium:630611 

Review-Url: https://codereview.chromium.org/2177483002
Cr-Commit-Position: refs/heads/master@{#37994}

[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/bailout-reason.h
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/arm/code-generator-arm.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/arm64/code-generator-arm64.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/code-generator.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/ia32/code-generator-ia32.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/instruction-codes.h
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/instruction-scheduler.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/instruction-selector-impl.h
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/instruction-selector.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/instruction.h
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/machine-operator.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/machine-operator.h
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/mips/code-generator-mips.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/mips64/code-generator-mips64.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/opcodes.h
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/ppc/code-generator-ppc.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/representation-change.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/s390/code-generator-s390.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/typer.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/verifier.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/x64/code-generator-x64.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/x87/code-generator-x87.cc
[add] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/test/mjsunit/compiler/regress-630611.js

Comment 2 by jarin@chromium.org, Jul 25 2016

Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)
Cc: -jarin@chromium.org
Owner: jarin@chromium.org
Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Jul 26 2016

ClusterFuzz has detected this issue as fixed in range 37993:37995.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5287459936272384

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Phi of kMachNone (None) cannot be changed to kRepTagged in representation-change
  
Regressed: V8: r37695:37708
Fixed: V8: r37993:37995

Minimized Testcase (0.36 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97JgzZKUrAvcQP7ALdZSyP8SqCkqRp9arnLf5CWva_bEySmP8Fd_uy1dqXQgnhWtAEn920ueNA58Op3B8HqeHmudcUrjmiJodaIdHLES_PRAZ5QKza0ia5Axe1eiCd7Vm0f-ZXIk_bi2dyyp6fFsqs4AqHWJA?testcase_id=5287459936272384
var __v_9 = {};
var __v_13 = 1073741824;
function __f_8() {
}
function __f_10() {
}
function __f_2() {
}
__v_4 =
    [, __f_8, __f_10, __f_2];
for (var __v_1 = 0; __v_1 < __v_4.length; __v_1++) {
  gc();
}
try {
} catch(e) {; }
__v_13 = 10000;
(function __f_14() {
  __v_13 = __v_9;
  for (var __v_15 = __v_13; __v_15 > 0; __v_15 -= 2) {
    delete __v_14[__v_15];
  }
})()


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment