HeapConstant of kRepTagged (Constant(1CNUMBER <FixedArray[0]>)) cannot be change |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4713294671904768 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: HeapConstant of kRepTagged (Constant(1CNUMBER <FixedArray[0]>)) cannot be change V8_Fatal v8::internal::compiler::RepresentationChanger::TypeError v8::internal::compiler::RepresentationChanger::GetWord32RepresentationFor Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=413785:413791 Minimized Testcase (0.21 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95aQND0HJM6HdCJ_sKow-cOcpzeA9vDTOl4XTqpUKVtfB9b5ofyteZzRuLlF-Jf6PeVUGUiIMvYgkOwEtS4n4BwqYQjoYTLPlnPApaf_E1Yx7OemLs-JFFVE80liIlW0FProuiIdzDSXKoQqV27wFXmzLrbsw?testcase_id=4713294671904768 (function __f_2() { })(); function __f_3() { print(); } function __f_4(a) { return a.length; } __f_4('0'); __f_4('1'); function __f_5() { __f_3(__f_4([])); } __f_5(); %OptimizeFunctionOnNextCall(__f_5); __f_5(); Issue manually filed by: durga.behera See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 24 2016
durga.behera: please read https://github.com/v8/v8/wiki/Triaging%20issues.
,
Aug 24 2016
Requires escape analysis.
,
Sep 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/4b2c6d03e444e91cc4f02539abc0633406dc66d3 commit 4b2c6d03e444e91cc4f02539abc0633406dc66d3 Author: Michael Starzinger <mstarzinger@chromium.org> Date: Fri Sep 23 11:01:46 2016 [turbofan] Add proper type guards to escape analysis. This makes sure the {EscapeAnalysisReducer} inserts proper {TypeGuard} nodes if the replacement node is not a subtype of the original node. This happens predominantly for code that has been made unreachable by type checks. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-640497 BUG= chromium:640497 Review URL: https://codereview.chromium.org/2363573003 . Cr-Commit-Position: refs/heads/master@{#39656} [modify] https://crrev.com/4b2c6d03e444e91cc4f02539abc0633406dc66d3/src/compiler/escape-analysis-reducer.cc [add] https://crrev.com/4b2c6d03e444e91cc4f02539abc0633406dc66d3/test/mjsunit/regress/regress-crbug-640497.js [modify] https://crrev.com/4b2c6d03e444e91cc4f02539abc0633406dc66d3/test/unittests/compiler/escape-analysis-unittest.cc
,
Sep 23 2016
,
Sep 24 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by durga.behera@chromium.org
, Aug 24 2016Labels: M-54 Te-Logged
Status: Available (was: Untriaged)