Crash in v8::internal::Simulator::DecodeType2 |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5330810145341440 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000004 Crash State: v8::internal::Simulator::DecodeType2 v8::internal::Simulator::InstructionDecode v8::internal::Simulator::Execute Regressed: V8: r40910:40911 Minimized Testcase (0.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96rkeNqb8NdzBEV6Be_s6Imbgo7NajpirfrrKYLo4eW3Ja_Fs2nJUoqzMPW6AQlSCbICJo-OJg756TCfJxtx9piVJNKAp1TjqZXufQeBRrQ_Inh8YnUFfYJEBTYpZadc_ZsDurUqk8D90GZQDed-m_yKeKyVg?testcase_id=5330810145341440 Issue manually filed by: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 16 2016
For some reason TurboFan is emitting a Store[kPointerWriteBarrier] even though the value being stored is a Smi. I am investigating.
,
Nov 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/31a8ec776241d97d59e89d46cf184342bab8720f commit 31a8ec776241d97d59e89d46cf184342bab8720f Author: mstarzinger <mstarzinger@chromium.org> Date: Wed Nov 16 12:52:46 2016 [turbofan] Fix bogus representation for {kCheckTaggedHole}. The operator in question is guaranteed to produce a tagged value that is not equal to the-hole, it however does not guarantee the value to be a HeapObject. The correct representation hence is {kTagged}. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-665587 BUG= chromium:665587 Review-Url: https://codereview.chromium.org/2504183002 Cr-Commit-Position: refs/heads/master@{#41032} [modify] https://crrev.com/31a8ec776241d97d59e89d46cf184342bab8720f/src/compiler/simplified-lowering.cc [add] https://crrev.com/31a8ec776241d97d59e89d46cf184342bab8720f/test/mjsunit/regress/regress-crbug-665587.js
,
Nov 16 2016
,
Nov 16 2016
ClusterFuzz has detected this issue as fixed in range 41031:41032. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5330810145341440 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000004 Crash State: v8::internal::Simulator::DecodeType2 v8::internal::Simulator::InstructionDecode v8::internal::Simulator::Execute Regressed: V8: r40910:40911 Fixed: V8: r41031:41032 Minimized Testcase (0.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96rkeNqb8NdzBEV6Be_s6Imbgo7NajpirfrrKYLo4eW3Ja_Fs2nJUoqzMPW6AQlSCbICJo-OJg756TCfJxtx9piVJNKAp1TjqZXufQeBRrQ_Inh8YnUFfYJEBTYpZadc_ZsDurUqk8D90GZQDed-m_yKeKyVg?testcase_id=5330810145341440 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 24 2017
This needs backmerging to 5.6.
,
Feb 24 2017
Issue 692721 has been merged into this issue.
,
Feb 27 2017
Re comment #7: Talking with hablich@ it seems that there is no further release of M56 planned, so merging back to 5.6 at this point doesn't make much sense anymore. Please let me know in case there are other reasons for a merge.
,
Feb 28 2017
Indeed. Closing the loop. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ishell@chromium.org
, Nov 15 2016Labels: -OS-Linux OS-All
Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)