New issue
Advanced search Search tips

Issue 752826 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Aug 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , All
Pri: 1
Type: Bug



Sign in to add a comment

Fatal error: Tried to combine incompatible truncations

Project Member Reported by ClusterFuzz, Aug 7 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5890918719946752

Fuzzer: mbarbella_js_mutation
Job Type: linux_msan_d8
Platform Id: linux

Crash Type: Fatal error
Crash Address: 
Crash State:
  NULL
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=455700:456019

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5890918719946752


Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)
Summary: Fatal error: Tried to combine incompatible truncations (was: <no crash state available>)
This reproduces since we turned on I+TF.
Michi, can you take a look?
Project Member

Comment 2 by ClusterFuzz, Aug 7 2017

Labels: OS-Android
Cc: bmeu...@chromium.org jarin@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>Compiler
Labels: OS-All
Reproduces nicely. Will take a look.
Somewhat cleaned up and minified repro (all three functions are inlined together) ...

function h(expected, found) {
  for (var i = 0; i < expected.length; ++i) {
    found[i];
  }
}
h([0,1,2,3,4,5,6,7,8,9], new Int8Array(10));
function g() {
  h([], arguments);
}
function f() {
  g(3, 4);
}
f();
%OptimizeFunctionOnNextCall(f);
f();
Cc: tebbi@chromium.org
Fully reduced repro ...

function h(a) {
  return a[1];
}
assertEquals(0, h(new Int8Array(10)));
assertEquals(0, h(new Int8Array(10)));

function g() {
  return h(arguments);
}
function f() {
  return g(23, 42);
}
assertEquals(42, f());
assertEquals(42, f());
%OptimizeFunctionOnNextCall(f);
assertEquals(42, f());
Project Member

Comment 6 by bugdroid1@chromium.org, Aug 8 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d929cc755c2892832f4e6c9d53bef2890b9733d6

commit d929cc755c2892832f4e6c9d53bef2890b9733d6
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Tue Aug 08 11:54:51 2017

[turbofan] Fix introduction of contradicting {TypeGuard}.

This avoid introduction of {TypeGuard} nodes during load elimination.
Such type guard could lead to contradicting type information where a
constant {NumberConstant} node was guarded to have {ExternalPointer}
type, which would lead to an impossible constraint on representation
selection.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-752826
BUG= chromium:752826 

Change-Id: Ida3815af24ccc8a48474b8d66117b9718f61adda
Reviewed-on: https://chromium-review.googlesource.com/605547
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47218}
[modify] https://crrev.com/d929cc755c2892832f4e6c9d53bef2890b9733d6/src/compiler/load-elimination.cc
[add] https://crrev.com/d929cc755c2892832f4e6c9d53bef2890b9733d6/test/mjsunit/regress/regress-crbug-752826.js
[modify] https://crrev.com/d929cc755c2892832f4e6c9d53bef2890b9733d6/test/unittests/compiler/load-elimination-unittest.cc

Status: Fixed (was: Assigned)
Project Member

Comment 8 by ClusterFuzz, Aug 11 2017

ClusterFuzz has detected this issue as fixed in range 493241:493282.

Detailed report: https://clusterfuzz.com/testcase?key=5890918719946752

Fuzzer: mbarbella_js_mutation
Job Type: linux_msan_d8
Platform Id: linux

Crash Type: Fatal error
Crash Address: 
Crash State:
  NULL
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=455700:456019
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=493241:493282

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5890918719946752

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Aug 11 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5890918719946752 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment