IsUseLessGeneral(input_use_infos_[index], use_info) in simplified-lowering.cc |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4973821669146624 Fuzzer: mbarbella_js_mutation Job Type: linux_v8_d8_tot Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: IsUseLessGeneral(input_use_infos_[index], use_info) in simplified-lowering.cc Regressed: V8: r37708:37727 Minimized Testcase (0.47 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97s2qGAl4GTWjd3JKCCNYGQxOjeLQTWICY7gZvXEjK-HZkqS1RPjUfZEjmoFbBJMNhdxEV-p29l5-O5491iI71gb-LjPnb5UyIWYzB7xTWw2CYPXH4WTvyqfYfsNr5bUpD9JZP_b-edTobC93n1IJ9wr0yLTA?testcase_id=4973821669146624 function __f_4(sign_bit, mantissa_29_bits) { } __f_4.prototype.returnSpecial = function() { this.mantissa_29_bits * mantissa_29_shift; } __f_4.prototype.toSingle = function() { if (-65535) return this.toSingleSubnormal(); } __f_4.prototype.toSingleSubnormal = function() { if (__v_15) { var __v_7 = this.mantissa_29_bits == -1 && (__v_13 & __v_10 ) == 0; } __v_8 >>= __v_7; } __v_14 = new __f_4(); __v_14.toSingle(); Filer: jarin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 25 2016
,
Jul 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/480f155ed65d23310db92cd65470a9a68d5f13bd commit 480f155ed65d23310db92cd65470a9a68d5f13bd Author: mvstanton <mvstanton@chromium.org> Date: Mon Jul 25 11:59:30 2016 [Turbofan] IsUseLessGeneral shouldn't consider machine representation. BUG= chromium:630952 Review-Url: https://codereview.chromium.org/2177193002 Cr-Commit-Position: refs/heads/master@{#38014} [modify] https://crrev.com/480f155ed65d23310db92cd65470a9a68d5f13bd/src/compiler/simplified-lowering.cc [add] https://crrev.com/480f155ed65d23310db92cd65470a9a68d5f13bd/test/mjsunit/regress/regress-crbug-630952.js
,
Jul 25 2016
,
Jul 26 2016
ClusterFuzz has detected this issue as fixed in range 37995:38020. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4973821669146624 Fuzzer: mbarbella_js_mutation Job Type: linux_v8_d8_tot Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: IsUseLessGeneral(input_use_infos_[index], use_info) in simplified-lowering.cc Regressed: V8: r37708:37727 Fixed: V8: r37995:38020 Minimized Testcase (0.47 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97s2qGAl4GTWjd3JKCCNYGQxOjeLQTWICY7gZvXEjK-HZkqS1RPjUfZEjmoFbBJMNhdxEV-p29l5-O5491iI71gb-LjPnb5UyIWYzB7xTWw2CYPXH4WTvyqfYfsNr5bUpD9JZP_b-edTobC93n1IJ9wr0yLTA?testcase_id=4973821669146624 function __f_4(sign_bit, mantissa_29_bits) { } __f_4.prototype.returnSpecial = function() { this.mantissa_29_bits * mantissa_29_shift; } __f_4.prototype.toSingle = function() { if (-65535) return this.toSingleSubnormal(); } __f_4.prototype.toSingleSubnormal = function() { if (__v_15) { var __v_7 = this.mantissa_29_bits == -1 && (__v_13 & __v_10 ) == 0; } __v_8 >>= __v_7; } __v_14 = new __f_4(); __v_14.toSingle(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by jarin@chromium.org
, Jul 25 2016Status: Assigned (was: Untriaged)