Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5064978534236160 Fuzzer: mbarbella_js_mutation Job Type: linux_ubsan_vptr_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: LoadField of kRepTaggedSigned (Signed32) cannot be changed to kRepFloat32 in rep Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_d8&range=416613:416628 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94yf1ap3xkGIpo4xCpAc0BAzgAdTG0doTVd4fliI75Vz4D_Rl1A0IqAU3alCqXRvCj0vXvmq7I7DB8rZICAl-OD7GbPtJn-IrnYiweSU4J5vHdnNjsi7RnsKke4ZP6i0_tGXD1o7nF1_c2BFfXElyp-gM0hoMIr-Ktu1-G-jTdjbz25Uwb67zeXA_0pYiu4WdTraNAF20CgN06qO2GOHzHoXyGTyYJBGLqEo-b6qIWPaBpKS9kq154IcgPELO7qarZmjXM_IqCG0h_PmQ3aZKCi3x0pTx4phu-VzD6taTwTTaXuFV97Hzaa2RvBqHstn6hOAIXFbWgtG58DDMKeZuYrZ-fq4Puz7SnFWRbH8Zz6NgDNcmU_o46uVAEprlGE-HkatUX2tef-kw168ePEEbJ_BDexwQ?testcase_id=5064978534236160 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/8c114d173782904674f9ef58d5f881517e80937d commit 8c114d173782904674f9ef58d5f881517e80937d Author: jarin <jarin@chromium.org> Date: Wed Mar 15 07:44:59 2017 [turbofan] Handle Smi -> Float32 conversion in representation changer. BUG= chromium:693425 Review-Url: https://codereview.chromium.org/2749193003 Cr-Commit-Position: refs/heads/master@{#43811} [modify] https://crrev.com/8c114d173782904674f9ef58d5f881517e80937d/src/compiler/representation-change.cc [add] https://crrev.com/8c114d173782904674f9ef58d5f881517e80937d/test/mjsunit/compiler/regress-693425.js
ClusterFuzz has detected this issue as fixed in range 456626:457732. Detailed report: https://clusterfuzz.com/testcase?key=5064978534236160 Fuzzer: mbarbella_js_mutation Job Type: linux_ubsan_vptr_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: LoadField of kRepTaggedSigned (Signed32) cannot be changed to kRepFloat32 in rep Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=416613:416628 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=456626:457732 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95NQj71llgJJ-49o4cyDf3qTELdl7FK_goqNys3Ywde13CldHHdPJqTivnaYXcVNjuzRCVTVlrmgzmxHWrEveO9bHn2BjgTwAj5UICqGMUsnRc6aamgbliPHFyakHX5D4va6a_bY3sIbovM-2QxX-gkojUXzp9qZFhgTsRE6m_hiIG_5G2yOfYchM8ntJiYwBCLRhGOHlil8OiW6YYnmcq-d-mxMfjNDr7X4161PYBu3VHAePCWT-A-YIgtqNRHB6NRXg2ieZ8gvxbyWOWkaOT1ZzV8BwSX3ZI2Qlf5nKZ5yH_bh-dJ6kJnFhXMbp0Nh1BZulmTSe2kCRdkNbJnShhgW-2J5OIueYC1oVeFUfOhvwchQi9PWJ7EqWQDHM-vjmAf4o0zPlqJoS3kYO3Z5893Ie5-LA?testcase_id=5064978534236160 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by jarin@chromium.org
, Feb 17 2017Status: Assigned (was: Untriaged)