0 == node->op()->ControlInputCount() in simplified-lowering.cc |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6335847469416448 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: 0 == node->op()->ControlInputCount() in simplified-lowering.cc Regressed: V8: r37927:37928 Minimized Testcase (0.25 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94-4ty1nzM1KnJ-2cLgjFy7vPxk-EWaDW2q0xpsXgpqPTmkYGe0XYkckrco3MdazSo_yGIXyzceceTClevVuvImhey-GlKqjxT4OE7az-G9cMcBt35S-FR0P2jpi88b9ejiakiutgzcaWcK60gakCGVySAwWA?testcase_id=6335847469416448 var __v_36 = new (function() { })(); function __f_34(o) { return 1 + (o.t ? 1 : 2); } (function __f_46() { function __f_38() { try { } finally { __f_34(__v_36); } } __f_38(); %OptimizeFunctionOnNextCall(__f_38); __f_38(); })() Additional requirements: Requires Gestures Filer: bmeurer See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e3e347b85ccdb6113e0a87272005fd8d7200bf0f commit e3e347b85ccdb6113e0a87272005fd8d7200bf0f Author: bmeurer <bmeurer@chromium.org> Date: Mon Jul 25 05:21:10 2016 [turbofan] Remove overly restrictive DCHECK. The dead code elimination in SimplifiedLowering can eliminate pure nodes if they don't have value uses. But some of those can indeed have control inputs, i.e. Phi nodes do of course have a control input. R=jarin@chromium.org BUG= chromium:630923 Review-Url: https://codereview.chromium.org/2177133002 Cr-Commit-Position: refs/heads/master@{#37995} [modify] https://crrev.com/e3e347b85ccdb6113e0a87272005fd8d7200bf0f/src/compiler/simplified-lowering.cc [add] https://crrev.com/e3e347b85ccdb6113e0a87272005fd8d7200bf0f/test/mjsunit/regress/regress-crbug-630923.js
,
Jul 25 2016
,
Jul 25 2016
ClusterFuzz has detected this issue as fixed in range 37994:37995. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6335847469416448 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: 0 == node->op()->ControlInputCount() in simplified-lowering.cc Regressed: V8: r37927:37928 Fixed: V8: r37994:37995 Minimized Testcase (0.25 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94-4ty1nzM1KnJ-2cLgjFy7vPxk-EWaDW2q0xpsXgpqPTmkYGe0XYkckrco3MdazSo_yGIXyzceceTClevVuvImhey-GlKqjxT4OE7az-G9cMcBt35S-FR0P2jpi88b9ejiakiutgzcaWcK60gakCGVySAwWA?testcase_id=6335847469416448 var __v_36 = new (function() { })(); function __f_34(o) { return 1 + (o.t ? 1 : 2); } (function __f_46() { function __f_38() { try { } finally { __f_34(__v_36); } } __f_38(); %OptimizeFunctionOnNextCall(__f_38); __f_38(); })() Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by bmeu...@chromium.org
, Jul 25 2016Components: -Blink>JavaScript Blink>JavaScript>Compiler
Labels: OS-All
Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)