New issue
Advanced search Search tips

Issue 726554 link

Starred by 1 user
Status: Fixed
Owner:
jarin@chromium.org
Closed: Jun 2017
Cc:
bmeu...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: LoadElement of kRepFloat64 (NumberOrHole) cannot be changed to kRepTagged in rep

Project Member Reported by ClusterFuzz, May 26 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6273728140017664

Fuzzer: inferno_js_fuzzer
Job Type: linux_msan_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  LoadElement of kRepFloat64 (NumberOrHole) cannot be changed to kRepTagged in rep
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=471691:471787

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6273728140017664


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ishell@chromium.org, May 26 2017

Cc: bmeu...@chromium.org
Owner: jarin@chromium.org
Status: Assigned (was: Untriaged)
Bisects to 168eb163a71eca13dd8bbe5854d5589aa885e065, reproduces on TOT.

Comment 2 by jarin@chromium.org, May 29 2017 

The problem seems to be the interplay between load elimination and our machinery for hole checks. The trouble is that LoadElement with non-holey elements-kind gets replaced with LoadElement with holey elements kind + type-guard. Representation inference then does not know how to convert the float64 input (of type NumberHole) to a tagged value.

We could teach it how to do that, but this value then goes into CheckFloat64Hole, which would then want to convert the value back to float64, which would also be bad.

Smaller test case:

function h(a,b){
  for(var i=0; i<a.length; i++) {h(a[i],b[i]); }
}

function g() {
  h(arguments.length, 2);
}

function f() {
  return g(1, 2);
}

b = [1,,];
b[1] = 3.5;

h(b, [1073741823, 2147483648, -12]);

f();
f();
%OptimizeFunctionOnNextCall(f);
f();
Project Member

Comment 3 by bugdroid1@chromium.org, Jun 6 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5005faed5cd4890dd2eb28384f09e68b10d07df2

commit 5005faed5cd4890dd2eb28384f09e68b10d07df2
Author: jarin <jarin@chromium.org>
Date: Tue Jun 06 14:45:26 2017

[turbofan] Improve representation selection for type guard.

This takes into account the type of the type guard when choosing
representation for a node. To make the representation changes
unambiguous, we pass the restricted type to the changer.

BUG= chromium:726554 

Review-Url: https://codereview.chromium.org/2920193004
Cr-Commit-Position: refs/heads/master@{#45734}

[modify] https://crrev.com/5005faed5cd4890dd2eb28384f09e68b10d07df2/src/compiler/simplified-lowering.cc
[add] https://crrev.com/5005faed5cd4890dd2eb28384f09e68b10d07df2/test/mjsunit/compiler/regress-726554.js
Project Member

Comment 4 by ClusterFuzz, Jun 7 2017 

ClusterFuzz has detected this issue as fixed in range 477431:477482.

Detailed report: https://clusterfuzz.com/testcase?key=6273728140017664

Fuzzer: inferno_js_fuzzer
Job Type: linux_msan_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  LoadElement of kRepFloat64 (NumberOrHole) cannot be changed to kRepTagged in rep
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=471691:471787
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=477431:477482

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6273728140017664


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 5 by jarin@chromium.org, Jun 7 2017

Status: Fixed (was: Assigned)

Sign in to add a comment