The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f70ceeae1d13a151a64cbdb39505ea46c1980db8

commit f70ceeae1d13a151a64cbdb39505ea46c1980db8
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Wed May 31 13:59:38 2017

[turbofan] teach escape analysis about oddly occurring simplified number ops

Bug:  chromium:726638 
Change-Id: Ib30b147ec60f9f13c5164765f8c63be7a1339e9f
Reviewed-on: https://chromium-review.googlesource.com/517497
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45634}
[modify] https://crrev.com/f70ceeae1d13a151a64cbdb39505ea46c1980db8/src/compiler/escape-analysis.cc
[add] https://crrev.com/f70ceeae1d13a151a64cbdb39505ea46c1980db8/test/mjsunit/compiler/escape-analysis-17.js

ClusterFuzz has detected this issue as fixed in range 45633:45634.

Detailed report: https://clusterfuzz.com/testcase?key=6625910626451456

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Encountered unaccounted use by #57 (NumberAdd) in escape-analysis.cc
  v8::internal::compiler::EscapeStatusAnalysis::CheckUsesForEscape
  v8::internal::compiler::EscapeStatusAnalysis::Process
  
Sanitizer: address (ASAN)

Regressed: V8: 43683:43684
Fixed: V8: 45633:45634

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6625910626451456


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6625910626451456 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

What's the security impact of this?  This fix didn't make M-59 for Android:  https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Android%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8%3A%3Ainternal%3A%3Acompiler%3A%3AEscapeStatusAnalysis%3A%3ACheckUsesForEscape%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

See label: Security_Severity-Low

Probably not the end of the world...

The bug is harmless, and the fix just disables too aggressive checks. Since the crash rate of this bug is extremely low and the fix does not improve security, there is no need to back-merge.

This is the #5 renderer crash on M59 on Android (it's only at 1% right now, according to @aluo):

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Android%27%20AND%20product.version%3D%2759.0.3071.92%27%20AND%20custom_data.ChromeCrashProto.channel%3D%27stable%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

I think we should reconsider merging.

If the change is super, super safe and we're sure it's the cause of all those crashes then I'm fine with merging this back to the M59 release branch - but if we're going to do that, we need to do it tonight so that the build I cut as the refresh candidate tomorrow includes it.

It looks safe to me, but I'm not inclined to overrule tebbi's judgment at this late hour (he won't be back online until MUC wakes up).

Also seen on Windows (628 reports on latest stable):

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20product.version%3D%2759.0.3071.86%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8%3A%3Ainternal%3A%3Acompiler%3A%3AEscapeStatusAnalysis%3A%3ACheckUsesForEscape%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

At least on Windows, I can confirm from the minidumps that the crashes would vanish with this fix. The patch is very safe to back-merge, it only disables a check but does not change behavior. My judgement was based on the wrong assumption that the frequency of the crash is still very low, I should have re-checked that.

At this point we've missed amineer's cutoff, but perhaps we can merge this for a re-spin at some point? Per tebbi, this should be super-safe.

Please merge ASAP.  Approving for 60 as well since it appears the fix missed that branch too, but correct me if I'm wrong.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/46949f320860c79d61b5e50ce2fc3f3a2731189c

commit 46949f320860c79d61b5e50ce2fc3f3a2731189c
Author: Adam Klein <adamk@chromium.org>
Date: Thu Jun 15 20:03:19 2017

Merged: [turbofan] teach escape analysis about oddly occurring simplified number ops

Revision: f70ceeae1d13a151a64cbdb39505ea46c1980db8

BUG= chromium:726638 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=tebbi@chromium.org

Change-Id: If924a1f85f9b9692d869fa94226ea8aca04447c1
Reviewed-on: https://chromium-review.googlesource.com/537160
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/branch-heads/5.9@{#75}
Cr-Branched-From: fe9bb7e6e251159852770160cfb21dad3cf03523-refs/heads/5.9.211@{#1}
Cr-Branched-From: 70ad23791a21c0dd7ecef8d4d8dd30ff6fc291f6-refs/heads/master@{#44591}
[modify] https://crrev.com/46949f320860c79d61b5e50ce2fc3f3a2731189c/src/compiler/escape-analysis.cc
[add] https://crrev.com/46949f320860c79d61b5e50ce2fc3f3a2731189c/test/mjsunit/compiler/escape-analysis-17.js

Unfortunately, the fix does not cover all the cases appearing in the wild, so the back-merge was not sufficient. 

I re-evaluated the minidumps, and it seems that the patch we back-merged does not cover the most frequent case. So to significantly reduce crash rates, I expect that we have to back-merge https://chromium-review.googlesource.com/538653

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b618aa8106dc4e1b51e477981437782db5368922

commit b618aa8106dc4e1b51e477981437782db5368922
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Mon Jul 10 17:03:08 2017

[turbofan] restrict infamous escape analysis check to debug builds

This unconditional check caused a lot of canary crashes and recently stable merges while not being necessary for security. For code health and maintenance of Turbofan, it should be sufficient if this is only triggered in Clusterfuzz.

Bug:  chromium:726638 
Change-Id: Ib58d9c18f89939164cae19223fda490addbce007
Reviewed-on: https://chromium-review.googlesource.com/557867
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46532}
[modify] https://crrev.com/b618aa8106dc4e1b51e477981437782db5368922/src/compiler/escape-analysis.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot