Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6267341379993600

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Word32Xor of kRepWord32 (None) cannot be changed to kRepBit in representation-ch
  
Regressed: V8: r38617:38618

Minimized Testcase (7.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96JZXa3FdUh9kd4wRHKQ4gNfJpRUyIIRNyekdlx8d4uDRA51lstm4eVCWFpwbZLmGKZhKkmbBCcBhQz8G8wlFsjdlTNNbLD8NzUORBI3ikaTfaZbGQMjqQzWDTZ16mnNOkKk62lMC7Na2Tfd9rhsS4gvaPtMw?testcase_id=6267341379993600

Issue manually filed by: titzer

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5090132317437952

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Word32Or of kRepWord32 (None) cannot be changed to kRepBit in representation-cha
  
Regressed: V8: r38617:38618

Minimized Testcase (7.67 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97WDsR6JLOxQ3SnleklpVg8U50o7D-2UuKMfgyP9y1Rqed_pIwZVaiIQWbaSfG9XoNYAdKaG6yjzecjeNne4rFGbtHYJnY09c8fMO5IIMcFsioach2kRk-sKZr2baq4zuUezHBx80RojcyvuUru-3lnfs7ydw?testcase_id=5090132317437952

Issue manually filed by: titzer

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6246013411262464

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Float64Sub of kRepFloat64 (None) cannot be changed to kRepBit in representation-
  

Minimized Testcase (6.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Kj1tzxsUL1TbPGqqF_63TNEXIO6yKTx_plC5NH6JMGO1dbw8pv9AxQSuPXdgfTLp7kb0UgMbnuS_UCPPwsIuHnK6tcBtqMBkgU5FrwRC-o29frod4Qv0vhvKc5L4YSIMqmq5o-cxXmMlPlT_Oj4NIhD1HZQ?testcase_id=6246013411262464

Issue manually filed by: titzer

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 38681:38682.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5090132317437952

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Word32Or of kRepWord32 (None) cannot be changed to kRepBit in representation-cha
  
Regressed: V8: r38617:38618
Fixed: V8: r38681:38682

Minimized Testcase (7.67 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97WDsR6JLOxQ3SnleklpVg8U50o7D-2UuKMfgyP9y1Rqed_pIwZVaiIQWbaSfG9XoNYAdKaG6yjzecjeNne4rFGbtHYJnY09c8fMO5IIMcFsioach2kRk-sKZr2baq4zuUezHBx80RojcyvuUru-3lnfs7ydw?testcase_id=5090132317437952

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 38681:38682.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6267341379993600

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Word32Xor of kRepWord32 (None) cannot be changed to kRepBit in representation-ch
  
Regressed: V8: r38617:38618
Fixed: V8: r38681:38682

Minimized Testcase (7.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96JZXa3FdUh9kd4wRHKQ4gNfJpRUyIIRNyekdlx8d4uDRA51lstm4eVCWFpwbZLmGKZhKkmbBCcBhQz8G8wlFsjdlTNNbLD8NzUORBI3ikaTfaZbGQMjqQzWDTZ16mnNOkKk62lMC7Na2Tfd9rhsS4gvaPtMw?testcase_id=6267341379993600

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe

commit c83b21ab755f1420b6da85b3ff43d7e96ead9bbe
Author: jarin <jarin@chromium.org>
Date: Thu Aug 25 06:06:43 2016

[turbofan] Insert dummy values when changing from None type.

Currently we choose the MachineRepresentation::kNone representation for
values of Type::None, and when converting values from the kNone representation
we use "impossible" conversions that will crash at runtime. This
assumes that the impossible conversions should never be hit (the only
way to produce the impossible values is to perform an always-failing
runtime check on a value, such as Smi-checking a string). Note that
this assumes that the runtime check is executed before the impossible
convesrion.

Introducing BitwiseOr type feedback broke this in two ways:

- we always pick Word32 representation for bitwise-or, so the
  impossible conversion does not trigger (it only triggers with
  None representation), and we could end up with unsupported
  conversions from Word32.

- even if we inserted impossible conversions, they are pure conversions.
  Since untagging, bitwise-or operations are also pure, we could hoist
  all these before the smi check of the inputs and we could hit the
  impossible conversions before we get to the smi check.

This CL addresses this by just providing dummy values for conversions
from the Type::None type. It also removes the impossible-to-* conversions.

BUG= chromium:638132 

Review-Url: https://codereview.chromium.org/2266823002
Cr-Commit-Position: refs/heads/master@{#38883}

[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/bailout-reason.h
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/arm/code-generator-arm.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/arm64/code-generator-arm64.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/ia32/code-generator-ia32.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/instruction-codes.h
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/instruction-scheduler.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/instruction-selector.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/machine-operator.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/machine-operator.h
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/mips/code-generator-mips.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/mips64/code-generator-mips64.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/opcodes.h
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/ppc/code-generator-ppc.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/representation-change.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/s390/code-generator-s390.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/typer.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/verifier.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/x64/code-generator-x64.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/src/compiler/x87/code-generator-x87.cc
[modify] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/test/cctest/compiler/test-representation-change.cc
[add] https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe/test/mjsunit/compiler/regress-638132.js

ClusterFuzz has detected this issue as fixed in range 38882:38883.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6246013411262464

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Float64Sub of kRepFloat64 (None) cannot be changed to kRepBit in representation-
  
Regressed: V8: r38158:38159
Fixed: V8: r38882:38883

Minimized Testcase (6.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Kj1tzxsUL1TbPGqqF_63TNEXIO6yKTx_plC5NH6JMGO1dbw8pv9AxQSuPXdgfTLp7kb0UgMbnuS_UCPPwsIuHnK6tcBtqMBkgU5FrwRC-o29frod4Qv0vhvKc5L4YSIMqmq5o-cxXmMlPlT_Oj4NIhD1HZQ?testcase_id=6246013411262464

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a55fdb1e7c19e2f9868190284df56bcf709dbf12

commit a55fdb1e7c19e2f9868190284df56bcf709dbf12
Author: bmeurer <bmeurer@chromium.org>
Date: Thu Aug 25 08:49:55 2016

Revert of [turbofan] Insert dummy values when changing from None type. (patchset #5 id:80001 of https://codereview.chromium.org/2266823002/ )

Reason for revert:
Octane/Mandreel aborts with an exception now:

TypeError: __FUNCTION_TABLE__[(r2 >> 2)] is not a function

Original issue's description:
> [turbofan] Insert dummy values when changing from None type.
>
> Currently we choose the MachineRepresentation::kNone representation for
> values of Type::None, and when converting values from the kNone representation
> we use "impossible" conversions that will crash at runtime. This
> assumes that the impossible conversions should never be hit (the only
> way to produce the impossible values is to perform an always-failing
> runtime check on a value, such as Smi-checking a string). Note that
> this assumes that the runtime check is executed before the impossible
> convesrion.
>
> Introducing BitwiseOr type feedback broke this in two ways:
>
> - we always pick Word32 representation for bitwise-or, so the
>   impossible conversion does not trigger (it only triggers with
>   None representation), and we could end up with unsupported
>   conversions from Word32.
>
> - even if we inserted impossible conversions, they are pure conversions.
>   Since untagging, bitwise-or operations are also pure, we could hoist
>   all these before the smi check of the inputs and we could hit the
>   impossible conversions before we get to the smi check.
>
> This CL addresses this by just providing dummy values for conversions
> from the Type::None type. It also removes the impossible-to-* conversions.
>
> BUG= chromium:638132 
>
> Committed: https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe
> Cr-Commit-Position: refs/heads/master@{#38883}

TBR=mstarzinger@chromium.org,jarin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= chromium:638132 

Review-Url: https://codereview.chromium.org/2280613002
Cr-Commit-Position: refs/heads/master@{#38893}

[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/bailout-reason.h
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/arm/code-generator-arm.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/arm64/code-generator-arm64.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/ia32/code-generator-ia32.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/instruction-codes.h
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/instruction-scheduler.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/instruction-selector.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/machine-operator.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/machine-operator.h
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/mips/code-generator-mips.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/mips64/code-generator-mips64.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/opcodes.h
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/ppc/code-generator-ppc.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/representation-change.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/s390/code-generator-s390.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/typer.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/verifier.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/x64/code-generator-x64.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/src/compiler/x87/code-generator-x87.cc
[modify] https://crrev.com/a55fdb1e7c19e2f9868190284df56bcf709dbf12/test/cctest/compiler/test-representation-change.cc
[delete] https://crrev.com/ba9367db6097083f7f3d8ef6982e7f7b65cdaaf7/test/mjsunit/compiler/regress-638132.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946

commit 2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946
Author: jarin <jarin@chromium.org>
Date: Thu Aug 25 16:57:31 2016

Reland of [turbofan] Insert dummy values when changing from None type.

This reverts commit a55fdb1e7c19e2f9868190284df56bcf709dbf12, relands
https://codereview.chromium.org/2266823002/.

BUG= chromium:638132 

Review-Url: https://codereview.chromium.org/2277283002
Cr-Commit-Position: refs/heads/master@{#38917}

[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/bailout-reason.h
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/arm/code-generator-arm.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/arm64/code-generator-arm64.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/ia32/code-generator-ia32.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/instruction-codes.h
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/instruction-scheduler.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/instruction-selector.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/machine-operator.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/machine-operator.h
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/mips/code-generator-mips.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/mips64/code-generator-mips64.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/opcodes.h
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/ppc/code-generator-ppc.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/representation-change.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/s390/code-generator-s390.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/typer.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/verifier.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/x64/code-generator-x64.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/src/compiler/x87/code-generator-x87.cc
[modify] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/test/cctest/compiler/test-representation-change.cc
[add] https://crrev.com/2a97b1bcb16a905ae4c10ba11f8efdfe5e2b9946/test/mjsunit/compiler/regress-638132.js

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot