TypeGuard of kRepWord32 (None) cannot be changed to kRepBit in representation-ch |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6331435709628416 Fuzzer: mbarbella_js_mutation Job Type: linux_v8_d8_be Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: TypeGuard of kRepWord32 (None) cannot be changed to kRepBit in representation-ch Regressed: V8: r39031:39048 Minimized Testcase (0.18 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95fbjhiD14Amcs_QKaoWC8NDvDqlnRIjDJSMeNccROnm8Dyap32TnhtzTFVLD988-aCNhaHAwyiS--mMAFYXj5W-h4knLJeESxlTxDJp8o7asr_hp9BsFWNcs3FH2uF5tBlIZYRH5bKVypwlxNYr4_zXSlBpw?testcase_id=6331435709628416 __v_2 = { Error: [ EvalError, URIError ] } for (f in __v_2) { for (i in __v_2[f]) { } } function __f_3() { } function __f_5() { for (i = 0; i < 3; i++) { } } __f_5() == 33; Issue manually filed by: jarin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/432790c92c8541624a2c0c4fc762764840d172ff commit 432790c92c8541624a2c0c4fc762764840d172ff Author: bmeurer <bmeurer@chromium.org> Date: Thu Sep 01 07:11:12 2016 [turbofan] Only check semantic axis for Type::None. R=jarin@chromium.org BUG= chromium:643073 Review-Url: https://codereview.chromium.org/2299903002 Cr-Commit-Position: refs/heads/master@{#39065} [modify] https://crrev.com/432790c92c8541624a2c0c4fc762764840d172ff/src/compiler/representation-change.cc [add] https://crrev.com/432790c92c8541624a2c0c4fc762764840d172ff/test/mjsunit/regress/regress-crbug-643073.js
,
Sep 1 2016
,
Sep 2 2016
ClusterFuzz has detected this issue as fixed in range 39062:39089. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6331435709628416 Fuzzer: mbarbella_js_mutation Job Type: linux_v8_d8_be Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: TypeGuard of kRepWord32 (None) cannot be changed to kRepBit in representation-ch Regressed: V8: r39031:39048 Fixed: V8: r39062:39089 Minimized Testcase (0.18 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95fbjhiD14Amcs_QKaoWC8NDvDqlnRIjDJSMeNccROnm8Dyap32TnhtzTFVLD988-aCNhaHAwyiS--mMAFYXj5W-h4knLJeESxlTxDJp8o7asr_hp9BsFWNcs3FH2uF5tBlIZYRH5bKVypwlxNYr4_zXSlBpw?testcase_id=6331435709628416 __v_2 = { Error: [ EvalError, URIError ] } for (f in __v_2) { for (i in __v_2[f]) { } } function __f_3() { } function __f_5() { for (i = 0; i < 3; i++) { } } __f_5() == 33; See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by jarin@chromium.org
, Sep 1 2016Status: Assigned (was: Untriaged)