New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634500 link

Starred by 1 user
Status: WontFix
Owner:
mvstan...@chromium.org
Closed: Aug 2016
Cc:
ivica.bo...@imgtec.com
mummare...@chromium.org
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Unexpected operator #157:StoreField @ node #328 in instruction-selector.cc

Project Member Reported by ClusterFuzz, Aug 4 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5892728452022272

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Unexpected operator #157:StoreField @ node #328 in instruction-selector.cc
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=408734:408781

Minimized Testcase (0.23 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96v2dMC3Bg52LDcut1bdX9H17DqEjBYyr_R-Z6UKK4A_zTf-EP-xyhsIh5Fsmyuhuai66b2hcLH4O4U6iwWPe5ssVt4tmyZFc-tqWunoPptuRooET6JTTXif8zPkUVJoIPteIpQtA1fEmlr46p49wWfbwMTuQ?testcase_id=5892728452022272
function __f_2() {
  for  (var __v_2 = 0; __v_2 < 10000; __v_2++) {
    try {
      for (var __v_3 = 0; __v_3 < 2; __v_3++) {
      }
      throw 1;
    } catch(e) {
      if (typeof a == "number") return a && isNaN(b);
    }
  }
}
__f_2();


Issue manually filed by: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Aug 4 2016

Cc: ivica.bo...@imgtec.com mstarzinger@chromium.org
Labels: M-54 Te-Logged
Owner: titzer@chromium.org
Status: Assigned (was: Untriaged)
Through codesearch on file instruction-selector.cc, suspected cl could be
https://chromium.googlesource.com/v8/v8/+/580fdf3c05872b1937a136f2f44b39897ecc0972

titzer@, could you please have a look and reassign if needed.
Thank you.

Comment 2 by titzer@chromium.org, Aug 4 2016

Owner: bmeu...@chromium.org
The repro doesn't involve asm.js or WASM, so it shouldn't be generating UnalignedLoad. Looks like some node didn't get lowered or trimmed from the graph. Reassigning to bmeurer@.

Comment 3 by mummare...@chromium.org, Aug 4 2016 

Thank you very much.

Comment 4 by bmeu...@chromium.org, Aug 16 2016

Owner: mvstan...@chromium.org
Michael, can you investigate while I'm OOO?

Comment 5 by mvstan...@chromium.org, Aug 17 2016

Status: Started (was: Assigned)
Sure thing...

Comment 6 by mvstan...@chromium.org, Aug 17 2016 

Hmm, tough to reproduce. The v8 version is 5.4.299, from Friday, July 29th.
I get an assert in compile.cc about bytecode at that point with the repro flags

--ignition --turbo-from-bytecode --always-opt

And current builds don't repro.
#
# Fatal error in ../src/compiler.cc, line 1364
# Check failed: !info->shared_info()->is_compiled().
#

==== C stack trace ===============================

 1: V8_Fatal
 2: 0x913f82
 3: 0x91173f
 4: v8::internal::Compiler::GetOptimizedCodeForOSR(v8::internal::Handle<v8::internal::JSFunction>, v8::internal::BailoutId, v8::internal::JavaScriptFrame*)
 5: 0xfc9560
 6: v8::internal::Runtime_CompileForOnStackReplacement(int, v8::internal::Object**, v8::internal::Isolate*)
 7: 0xf743e0063a7
Illegal instruction (core dumped)

Comment 7 by mvstan...@chromium.org, Aug 22 2016

Status: WontFix (was: Started)
Unable to repro, and the bug in compiler.cc that I hit when trying to reproduce on an old tree was indicative of big changes happening in the pipeline at that point (in order to support the bifurcated pipeline of Ignition->TF and Ignition->FCG->Crankshaft).
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment