Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5028467218579456 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_turbo Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: d29 Sanitizer: address (ASAN) Minimized Testcase (0.30 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96PcRgSfRLswHKxUA_hEmUwmDBzRw-v8wk_RTd8BrtkytNSpP6iuGLJ0r1XhR7QtQdu2hDQfs_YFp8nP_jPM2QcBum2McoOOgzMX-fo8xZZI8i3adrpvxX060c8jXP23eTAnIW5aLYeIFMAUZVQxS69xtvCXBghrZco36Myq6S_tgqbo8Nnz2CDWbHFj7bDSerkhxB5UN68jP9riTLxXQH0nqHjbEgv_UTy-QFOzGX01eP2eMtuQYiHbp1LM7-hlYqrSpTntnjom4VrDqZ_qAnqs5Ra9VCGAjhAhxhmbQdNy6X2merFrKVOr3iIDmYGkflqITzrbz2V24naxfCNNl48VyJy7OmgKQNlVH0DP0W-62p3deo?testcase_id=5028467218579456 switch (typeof value) { } assertEquals = function assertEquals(expected, found) { print(found); }; function __f_0() { for (i = 3; i < 0x40000; ++i) { } d4 = [, 2.5, ,]; assertEquals(undefined, d4[2]); } __f_0(); print("v8-foozzie source: /v8/test/mjsunit/math-floor-part1.js"); __f_0(); Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
PTAL. Here's a small repro with ignition/ignition_turbo: function foo() { d4 = [, 2.5, ,]; return d4[2] } foo(); %OptimizeFunctionOnNextCall(foo) print(foo()); // Output: # Compared x64,ignition with x64,ignition_turbo # # Flags of x64,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 123 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft # Flags of x64,ignition_turbo: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 123 --ignition-staging --turbo --validate-asm # # Difference: - undefined + NaN # # Source file: none # ### Start of configuration x64,ignition: undefined ### End of configuration x64,ignition # ### Start of configuration x64,ignition_turbo: NaN ### End of configuration x64,ignition_turbo
Deoptimizer loosing bit pattern of {double} values, hence swallowing our "hole-nan" value.
Issue 685346 has been merged into this issue.
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/7376e12e00b89d7ba476addeb05058147f8dd91d commit 7376e12e00b89d7ba476addeb05058147f8dd91d Author: mstarzinger <mstarzinger@chromium.org> Date: Thu Jan 26 09:25:59 2017 [deoptimizer] Preserve double bit patterns correctly. This makes sure that the deoptimizer preserves the exact bit pattern of floating-point values (both 32-bit and 64-bit) up to the point where a potential {HeapNumber} is allocated. It in turn allows us to correctly recognize the {hole_nan_value} when stored into a {FixedDouleArray}. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-684208 BUG= chromium:684208 Review-Url: https://codereview.chromium.org/2652303002 Cr-Commit-Position: refs/heads/master@{#42679} [modify] https://crrev.com/7376e12e00b89d7ba476addeb05058147f8dd91d/src/arm/deoptimizer-arm.cc [modify] https://crrev.com/7376e12e00b89d7ba476addeb05058147f8dd91d/src/arm64/deoptimizer-arm64.cc [modify] https://crrev.com/7376e12e00b89d7ba476addeb05058147f8dd91d/src/deoptimizer.cc [modify] https://crrev.com/7376e12e00b89d7ba476addeb05058147f8dd91d/src/deoptimizer.h [modify] https://crrev.com/7376e12e00b89d7ba476addeb05058147f8dd91d/src/ia32/deoptimizer-ia32.cc [modify] https://crrev.com/7376e12e00b89d7ba476addeb05058147f8dd91d/src/mips/deoptimizer-mips.cc [modify] https://crrev.com/7376e12e00b89d7ba476addeb05058147f8dd91d/src/mips64/deoptimizer-mips64.cc [modify] https://crrev.com/7376e12e00b89d7ba476addeb05058147f8dd91d/src/ppc/deoptimizer-ppc.cc [modify] https://crrev.com/7376e12e00b89d7ba476addeb05058147f8dd91d/src/s390/deoptimizer-s390.cc [modify] https://crrev.com/7376e12e00b89d7ba476addeb05058147f8dd91d/src/x64/deoptimizer-x64.cc [modify] https://crrev.com/7376e12e00b89d7ba476addeb05058147f8dd91d/src/x87/deoptimizer-x87.cc [add] https://crrev.com/7376e12e00b89d7ba476addeb05058147f8dd91d/test/mjsunit/regress/regress-crbug-684208.js
ClusterFuzz has detected this issue as fixed in range 42678:42679. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5028467218579456 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_turbo Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: d29 Sanitizer: address (ASAN) Fixed: V8: 42678:42679 Minimized Testcase (0.30 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96PcRgSfRLswHKxUA_hEmUwmDBzRw-v8wk_RTd8BrtkytNSpP6iuGLJ0r1XhR7QtQdu2hDQfs_YFp8nP_jPM2QcBum2McoOOgzMX-fo8xZZI8i3adrpvxX060c8jXP23eTAnIW5aLYeIFMAUZVQxS69xtvCXBghrZco36Myq6S_tgqbo8Nnz2CDWbHFj7bDSerkhxB5UN68jP9riTLxXQH0nqHjbEgv_UTy-QFOzGX01eP2eMtuQYiHbp1LM7-hlYqrSpTntnjom4VrDqZ_qAnqs5Ra9VCGAjhAhxhmbQdNy6X2merFrKVOr3iIDmYGkflqITzrbz2V24naxfCNNl48VyJy7OmgKQNlVH0DP0W-62p3deo?testcase_id=5028467218579456 switch (typeof value) { } assertEquals = function assertEquals(expected, found) { print(found); }; function __f_0() { for (i = 3; i < 0x40000; ++i) { } d4 = [, 2.5, ,]; assertEquals(undefined, d4[2]); } __f_0(); print("v8-foozzie source: /v8/test/mjsunit/math-floor-part1.js"); __f_0(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/8c0c5e8117a0c935d6f2e5f6e540674d46753a87 commit 8c0c5e8117a0c935d6f2e5f6e540674d46753a87 Author: bmeurer <bmeurer@chromium.org> Date: Wed Apr 12 10:10:48 2017 [turbofan] Properly represent the float64 hole. The hole NaN should also have proper Type::Hole, and not silently hide in the Type::Number. This way we can remove all the special casing for the hole NaN, and we also finally get the CheckNumber right. This also allows us to remove some ducktape from the Deoptimizer, as for escape analyzed FixedDoubleArrays we always pass the hole value now to represent the actual holes. Also-By: jarin@chromium.org BUG= chromium:684208 , chromium:709753 ,v8:5267 R=jarin@chromium.org Review-Url: https://codereview.chromium.org/2814013003 Cr-Commit-Position: refs/heads/master@{#44603} [modify] https://crrev.com/8c0c5e8117a0c935d6f2e5f6e540674d46753a87/src/compiler/js-create-lowering.cc [modify] https://crrev.com/8c0c5e8117a0c935d6f2e5f6e540674d46753a87/src/compiler/js-native-context-specialization.cc [modify] https://crrev.com/8c0c5e8117a0c935d6f2e5f6e540674d46753a87/src/compiler/operation-typer.cc [modify] https://crrev.com/8c0c5e8117a0c935d6f2e5f6e540674d46753a87/src/compiler/operation-typer.h [modify] https://crrev.com/8c0c5e8117a0c935d6f2e5f6e540674d46753a87/src/compiler/simplified-lowering.cc [modify] https://crrev.com/8c0c5e8117a0c935d6f2e5f6e540674d46753a87/src/compiler/typed-optimization.cc [modify] https://crrev.com/8c0c5e8117a0c935d6f2e5f6e540674d46753a87/src/compiler/typed-optimization.h [modify] https://crrev.com/8c0c5e8117a0c935d6f2e5f6e540674d46753a87/src/compiler/typer.cc [modify] https://crrev.com/8c0c5e8117a0c935d6f2e5f6e540674d46753a87/src/compiler/types.h [modify] https://crrev.com/8c0c5e8117a0c935d6f2e5f6e540674d46753a87/src/compiler/verifier.cc [modify] https://crrev.com/8c0c5e8117a0c935d6f2e5f6e540674d46753a87/src/deoptimizer.cc [modify] https://crrev.com/8c0c5e8117a0c935d6f2e5f6e540674d46753a87/src/objects-inl.h [modify] https://crrev.com/8c0c5e8117a0c935d6f2e5f6e540674d46753a87/src/objects.cc [modify] https://crrev.com/8c0c5e8117a0c935d6f2e5f6e540674d46753a87/src/objects.h [add] https://crrev.com/8c0c5e8117a0c935d6f2e5f6e540674d46753a87/test/mjsunit/regress/regress-crbug-709753.js
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/2eeb085427ccc7fbb58c7c8a8c5301f5f2b9d29f commit 2eeb085427ccc7fbb58c7c8a8c5301f5f2b9d29f Author: bmeurer <bmeurer@chromium.org> Date: Wed Apr 12 11:27:21 2017 [turbofan] Remove unused word32 truncation case for CheckFloat64Hole. BUG= chromium:684208 , chromium:709753 ,v8:5267 R=jarin@chromium.org Review-Url: https://codereview.chromium.org/2811153003 Cr-Commit-Position: refs/heads/master@{#44608} [modify] https://crrev.com/2eeb085427ccc7fbb58c7c8a8c5301f5f2b9d29f/src/compiler/simplified-lowering.cc
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2 commit 9372e6d03ddf825a9128cbccaf36e5430b0b9bb2 Author: Michael Hablich <hablich@chromium.org> Date: Thu Apr 13 12:29:58 2017 Merged: [turbofan] Properly represent the float64 hole. Revision: 8c0c5e8117a0c935d6f2e5f6e540674d46753a87 BUG= chromium:684208 , chromium:709753 ,v8:5267 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true TBR=bmeurer@chromium.org Change-Id: I98d2a7e39892cd186bb8c9a43c6cf87fc6067d85 Reviewed-on: https://chromium-review.googlesource.com/476671 Reviewed-by: Michael Hablich <hablich@chromium.org> Cr-Commit-Position: refs/branch-heads/5.9@{#6} Cr-Branched-From: fe9bb7e6e251159852770160cfb21dad3cf03523-refs/heads/5.9.211@{#1} Cr-Branched-From: 70ad23791a21c0dd7ecef8d4d8dd30ff6fc291f6-refs/heads/master@{#44591} [modify] https://crrev.com/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2/src/compiler/js-create-lowering.cc [modify] https://crrev.com/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2/src/compiler/js-native-context-specialization.cc [modify] https://crrev.com/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2/src/compiler/operation-typer.cc [modify] https://crrev.com/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2/src/compiler/operation-typer.h [modify] https://crrev.com/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2/src/compiler/simplified-lowering.cc [modify] https://crrev.com/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2/src/compiler/typed-optimization.cc [modify] https://crrev.com/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2/src/compiler/typed-optimization.h [modify] https://crrev.com/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2/src/compiler/typer.cc [modify] https://crrev.com/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2/src/compiler/types.h [modify] https://crrev.com/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2/src/compiler/verifier.cc [modify] https://crrev.com/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2/src/deoptimizer.cc [modify] https://crrev.com/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2/src/objects-inl.h [modify] https://crrev.com/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2/src/objects.cc [modify] https://crrev.com/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2/src/objects.h [add] https://crrev.com/9372e6d03ddf825a9128cbccaf36e5430b0b9bb2/test/mjsunit/regress/regress-crbug-709753.js
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/46013d6901425e3820a5f6378c5d1770f536dfb5 commit 46013d6901425e3820a5f6378c5d1770f536dfb5 Author: Michael Hablich <hablich@chromium.org> Date: Thu Apr 13 21:18:10 2017 Merged: Squashed multiple commits. Merged: [turbofan] Properly represent the float64 hole. Revision: 8c0c5e8117a0c935d6f2e5f6e540674d46753a87 Merged: [turbofan] Remove unused word32 truncation case for CheckFloat64Hole. Revision: 2eeb085427ccc7fbb58c7c8a8c5301f5f2b9d29f BUG= chromium:684208 , chromium:684208 , chromium:709753 , chromium:709753 ,v8:5267,v8:5267 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true TBR=bmeurer@chromium.org Review-Url: https://codereview.chromium.org/2819653002 . Cr-Commit-Position: refs/branch-heads/5.8@{#64} Cr-Branched-From: eda659cc5e307f20ac1ad542ba12ab32eaf4c7ef-refs/heads/5.8.283@{#1} Cr-Branched-From: 4310cd02d2160b1457baed81a2f40063eb264a21-refs/heads/master@{#43429} [modify] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/src/compiler/js-create-lowering.cc [modify] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/src/compiler/js-native-context-specialization.cc [modify] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/src/compiler/operation-typer.cc [modify] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/src/compiler/operation-typer.h [modify] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/src/compiler/simplified-lowering.cc [modify] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/src/compiler/typed-optimization.cc [modify] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/src/compiler/typed-optimization.h [modify] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/src/compiler/typer.cc [modify] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/src/compiler/types.h [modify] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/src/compiler/verifier.cc [modify] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/src/deoptimizer.cc [modify] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/src/objects-inl.h [modify] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/src/objects.cc [modify] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/src/objects.h [add] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/test/mjsunit/regress/regress-crbug-709753.js
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/3e5ace888b36d218a9868fb1f42950778d860d0d commit 3e5ace888b36d218a9868fb1f42950778d860d0d Author: hablich <hablich@chromium.org> Date: Thu Apr 13 21:25:28 2017 Revert of Merged: Squashed multiple commits. (patchset #1 id:1 of https://codereview.chromium.org/2819653002/ ) Reason for revert: Breaks the build Original issue's description: > Merged: Squashed multiple commits. > > Merged: [turbofan] Properly represent the float64 hole. > Revision: 8c0c5e8117a0c935d6f2e5f6e540674d46753a87 > > Merged: [turbofan] Remove unused word32 truncation case for CheckFloat64Hole. > Revision: 2eeb085427ccc7fbb58c7c8a8c5301f5f2b9d29f > > BUG= chromium:684208 , chromium:684208 , chromium:709753 , chromium:709753 ,v8:5267,v8:5267 > LOG=N > NOTRY=true > NOPRESUBMIT=true > NOTREECHECKS=true > TBR=bmeurer@chromium.org > > Review-Url: https://codereview.chromium.org/2819653002 . > Cr-Commit-Position: refs/branch-heads/5.8@{#64} > Cr-Branched-From: eda659cc5e307f20ac1ad542ba12ab32eaf4c7ef-refs/heads/5.8.283@{#1} > Cr-Branched-From: 4310cd02d2160b1457baed81a2f40063eb264a21-refs/heads/master@{#43429} > Committed: https://chromium.googlesource.com/v8/v8/+/46013d6901425e3820a5f6378c5d1770f536dfb5 TBR=bmeurer@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= chromium:684208 , chromium:684208 , chromium:709753 , chromium:709753 ,v8:5267,v8:5267 Review-Url: https://codereview.chromium.org/2820603002 Cr-Commit-Position: refs/branch-heads/5.8@{#65} Cr-Branched-From: eda659cc5e307f20ac1ad542ba12ab32eaf4c7ef-refs/heads/5.8.283@{#1} Cr-Branched-From: 4310cd02d2160b1457baed81a2f40063eb264a21-refs/heads/master@{#43429} [modify] https://crrev.com/3e5ace888b36d218a9868fb1f42950778d860d0d/src/compiler/js-create-lowering.cc [modify] https://crrev.com/3e5ace888b36d218a9868fb1f42950778d860d0d/src/compiler/js-native-context-specialization.cc [modify] https://crrev.com/3e5ace888b36d218a9868fb1f42950778d860d0d/src/compiler/operation-typer.cc [modify] https://crrev.com/3e5ace888b36d218a9868fb1f42950778d860d0d/src/compiler/operation-typer.h [modify] https://crrev.com/3e5ace888b36d218a9868fb1f42950778d860d0d/src/compiler/simplified-lowering.cc [modify] https://crrev.com/3e5ace888b36d218a9868fb1f42950778d860d0d/src/compiler/typed-optimization.cc [modify] https://crrev.com/3e5ace888b36d218a9868fb1f42950778d860d0d/src/compiler/typed-optimization.h [modify] https://crrev.com/3e5ace888b36d218a9868fb1f42950778d860d0d/src/compiler/typer.cc [modify] https://crrev.com/3e5ace888b36d218a9868fb1f42950778d860d0d/src/compiler/types.h [modify] https://crrev.com/3e5ace888b36d218a9868fb1f42950778d860d0d/src/compiler/verifier.cc [modify] https://crrev.com/3e5ace888b36d218a9868fb1f42950778d860d0d/src/deoptimizer.cc [modify] https://crrev.com/3e5ace888b36d218a9868fb1f42950778d860d0d/src/objects-inl.h [modify] https://crrev.com/3e5ace888b36d218a9868fb1f42950778d860d0d/src/objects.cc [modify] https://crrev.com/3e5ace888b36d218a9868fb1f42950778d860d0d/src/objects.h [delete] https://crrev.com/46013d6901425e3820a5f6378c5d1770f536dfb5/test/mjsunit/regress/regress-crbug-709753.js
Not needed for Node.js. 8.x already has the fix, and 6.x doesn't need it.
Comment 1 by machenb...@chromium.org
, Jan 24 2017Status: Available (was: Untriaged)
PTAL. Here's a small repro with ignition/ignition_turbo: function foo() { d4 = [, 2.5, ,]; return d4[2] } foo(); %OptimizeFunctionOnNextCall(foo) print(foo()); // Output: # Compared x64,ignition with x64,ignition_turbo # # Flags of x64,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 123 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft # Flags of x64,ignition_turbo: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 123 --ignition-staging --turbo --validate-asm # # Difference: - undefined + NaN # # Source file: none # ### Start of configuration x64,ignition: undefined ### End of configuration x64,ignition # ### Start of configuration x64,ignition_turbo: NaN ### End of configuration x64,ignition_turbo