Fatal error: Tried to combine incompatible truncations |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5890918719946752 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Fatal error Crash Address: Crash State: NULL Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=455700:456019 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5890918719946752 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 7 2017
,
Aug 8 2017
Reproduces nicely. Will take a look.
,
Aug 8 2017
Somewhat cleaned up and minified repro (all three functions are inlined together) ...
function h(expected, found) {
for (var i = 0; i < expected.length; ++i) {
found[i];
}
}
h([0,1,2,3,4,5,6,7,8,9], new Int8Array(10));
function g() {
h([], arguments);
}
function f() {
g(3, 4);
}
f();
%OptimizeFunctionOnNextCall(f);
f();
,
Aug 8 2017
Fully reduced repro ...
function h(a) {
return a[1];
}
assertEquals(0, h(new Int8Array(10)));
assertEquals(0, h(new Int8Array(10)));
function g() {
return h(arguments);
}
function f() {
return g(23, 42);
}
assertEquals(42, f());
assertEquals(42, f());
%OptimizeFunctionOnNextCall(f);
assertEquals(42, f());
,
Aug 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/d929cc755c2892832f4e6c9d53bef2890b9733d6 commit d929cc755c2892832f4e6c9d53bef2890b9733d6 Author: Michael Starzinger <mstarzinger@chromium.org> Date: Tue Aug 08 11:54:51 2017 [turbofan] Fix introduction of contradicting {TypeGuard}. This avoid introduction of {TypeGuard} nodes during load elimination. Such type guard could lead to contradicting type information where a constant {NumberConstant} node was guarded to have {ExternalPointer} type, which would lead to an impossible constraint on representation selection. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-752826 BUG= chromium:752826 Change-Id: Ida3815af24ccc8a48474b8d66117b9718f61adda Reviewed-on: https://chromium-review.googlesource.com/605547 Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#47218} [modify] https://crrev.com/d929cc755c2892832f4e6c9d53bef2890b9733d6/src/compiler/load-elimination.cc [add] https://crrev.com/d929cc755c2892832f4e6c9d53bef2890b9733d6/test/mjsunit/regress/regress-crbug-752826.js [modify] https://crrev.com/d929cc755c2892832f4e6c9d53bef2890b9733d6/test/unittests/compiler/load-elimination-unittest.cc
,
Aug 8 2017
,
Aug 11 2017
ClusterFuzz has detected this issue as fixed in range 493241:493282. Detailed report: https://clusterfuzz.com/testcase?key=5890918719946752 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Fatal error Crash Address: Crash State: NULL Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=455700:456019 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=493241:493282 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5890918719946752 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 11 2017
ClusterFuzz testcase 5890918719946752 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by clemensh@chromium.org
, Aug 7 2017Status: Assigned (was: Untriaged)
Summary: Fatal error: Tried to combine incompatible truncations (was: <no crash state available>)