Phi of kRepFloat64 ((Unsigned32 | Negative31)) cannot be changed to kRepWord32 i |
|||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6225844676853760 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: Phi of kRepFloat64 ((Unsigned32 | Negative31)) cannot be changed to kRepWord32 i V8_Fatal v8::internal::compiler::RepresentationChanger::TypeError v8::internal::compiler::RepresentationChanger::GetWord32RepresentationFor Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=415740:415902 Minimized Testcase (0.32 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96oO4_aVu8YmGm0BtTZRJzPnHDxEi9GSstyAW6QwOlupNqhVG-odwrLK68_9N0c9ef6tGsGhQrEuMHBO2zvoKVD2z71OC84vIzNW4C0rvd3CDmtqlIrZBdTkaZwj0ORnECFU0wWt9Aj32qBIKCGklnOZq8Nig?testcase_id=6225844676853760 function __f_10(__v_19) { var __v_11 = new Array(); __v_11.length = __v_19; Array.prototype.sort.call(__v_11); } __f_10(4); __f_10(Math.pow(2,32) - 1); function __f_11(__v_19) { var __v_11 = {}; __v_11.length = __v_19; Array.prototype.sort.call(__v_11); __f_11(10); } __f_11(4); f = function __f_103 () { } Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 24 2016
,
Oct 24 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/a58d7907ea0948e185ab2f41d22846d7a7563bc6 commit a58d7907ea0948e185ab2f41d22846d7a7563bc6 Author: bmeurer <bmeurer@chromium.org> Date: Mon Oct 24 06:36:41 2016 [turbofan] Fix typed lowering of JSToLength. When lowering JSToLength, we cannot just smash arbitrary bounds on the Select nodes, as that will confuse the representation selection later. Instead properly rename the input using NumberMax and NumberMin. R=jarin@chromium.org BUG= chromium:657478 Review-Url: https://codereview.chromium.org/2440333002 Cr-Commit-Position: refs/heads/master@{#40519} [modify] https://crrev.com/a58d7907ea0948e185ab2f41d22846d7a7563bc6/src/compiler/js-typed-lowering.cc [add] https://crrev.com/a58d7907ea0948e185ab2f41d22846d7a7563bc6/test/mjsunit/regress/regress-crbug-657478.js
,
Oct 24 2016
,
Oct 25 2016
[Automated comment] Request affecting a post-stable build (M54), manual review required.
,
Oct 25 2016
Your change meets the bar and is auto-approved for M55 (branch: 2883)
,
Oct 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/1c4b7cc041963c6663cd1b4ed6c5414d8d3769c0 commit 1c4b7cc041963c6663cd1b4ed6c5414d8d3769c0 Author: Benedikt Meurer <bmeurer@google.com> Date: Tue Oct 25 05:41:04 2016 Merged: [turbofan] Fix typed lowering of JSToLength. Revision: a58d7907ea0948e185ab2f41d22846d7a7563bc6 BUG= chromium:657478 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true TBR=jarin@chromium.org Review URL: https://codereview.chromium.org/2451593002 . Cr-Commit-Position: refs/branch-heads/5.5@{#24} Cr-Branched-From: 3cbd5838bd8376103daa45d69dade929ee4e0092-refs/heads/5.5.372@{#1} Cr-Branched-From: b3c8b0ce2c9af0528837d8309625118d4096553b-refs/heads/master@{#40015} [modify] https://crrev.com/1c4b7cc041963c6663cd1b4ed6c5414d8d3769c0/src/compiler/js-typed-lowering.cc [add] https://crrev.com/1c4b7cc041963c6663cd1b4ed6c5414d8d3769c0/test/mjsunit/regress/regress-crbug-657478.js
,
Oct 25 2016
Per comment #7, this is already merged to M55. Is there anything pending for M55? If not, please remove "Merge-Approved-55" label. Thank you.
,
Oct 25 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2017
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by mmohammad@chromium.org
, Oct 19 2016Status: Assigned (was: Untriaged)