IrOpcode::kLoop == GetControlDependency()->opcode() in bytecode-graph-builder.cc |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6297440590495744 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: IrOpcode::kLoop == GetControlDependency()->opcode() in bytecode-graph-builder.cc Regressed: V8: r39236:39237 Minimized Testcase (10.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94qENoQSC_6h_d-7JewO1sHSyf5hKh21YeTMQgOHmNE5bNc2-V9CKEBipLX3mcZFtHDPoSvUeQJUxXLCFO30I1W9zUXxLQnJFNbP1pgYKYRcORn2mB5kCHM_874wMDMv9_gGksRG7G5dRBGyCCXsrdCdT-5fA?testcase_id=6297440590495744 Issue manually filed by: titzer See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 12 2016
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --ignition-staging
function f() {
for (var i = 0; i < 3; ++i) {
if (i == 1) {
%OptimizeOsr();
break; // Trigger next loop.
}
}
while (true) {
throw "no loop, thank you";
}
}
assertThrows(f);
,
Sep 13 2016
ClusterFuzz has detected this issue as fixed in range 39345:39346. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6297440590495744 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: IrOpcode::kLoop == GetControlDependency()->opcode() in bytecode-graph-builder.cc Regressed: V8: r39236:39237 Fixed: V8: r39345:39346 Minimized Testcase (10.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94qENoQSC_6h_d-7JewO1sHSyf5hKh21YeTMQgOHmNE5bNc2-V9CKEBipLX3mcZFtHDPoSvUeQJUxXLCFO30I1W9zUXxLQnJFNbP1pgYKYRcORn2mB5kCHM_874wMDMv9_gGksRG7G5dRBGyCCXsrdCdT-5fA?testcase_id=6297440590495744 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 13 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 13 2016
Nope. Not fixed.
,
Sep 13 2016
Now addressed by: https://crrev.com/c9864173f145c14866bcbf94759c53aa65847291 Will land a regression test for this specific issue in a follow-up CL.
,
Sep 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/85289749f476379964e39f6f4cdc2a8f6ea5b9ec commit 85289749f476379964e39f6f4cdc2a8f6ea5b9ec Author: mstarzinger <mstarzinger@chromium.org> Date: Tue Sep 13 13:22:47 2016 [interpreter] Add regression test for bogus OSR entry. This adds a regression test for a bug where {OsrPoll} instructions within the bytecode stream ended up outside of actual loops. This has been fixed already, by merging {OsrPoll} into the backwards branch. R=rmcilroy@chromium.org TEST=mjsunit/regress/regress-crbug-645888 BUG= chromium:645888 Review-Url: https://codereview.chromium.org/2337033002 Cr-Commit-Position: refs/heads/master@{#39385} [add] https://crrev.com/85289749f476379964e39f6f4cdc2a8f6ea5b9ec/test/mjsunit/regress/regress-crbug-645888.js
,
Sep 13 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mstarzinger@chromium.org
, Sep 12 2016Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)