New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 758778 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Aug 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: (old) != nullptr in register-allocator-verifier.cc

Project Member Reported by ClusterFuzz, Aug 25 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5860644401446912

Fuzzer: libFuzzer_v8_wasm_code_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  (old) != nullptr in register-allocator-verifier.cc
  v8::internal::compiler::RegisterAllocatorVerifier::ValidateFinalAssessment
  v8::internal::compiler::RegisterAllocatorVerifier::ValidatePendingAssessment
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=483315:483373

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5860644401446912

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Components: Blink>JavaScript
Labels: Test-Predator-Wrong-CLs M-61
Cc: titzer@chromium.org bradnelson@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>WebAssembly
Owner: mtrofin@chromium.org
Status: Assigned (was: Untriaged)
Reproduces nicely. Bisects to the following change ...

commit 535a5f962407b92701e04adea709a990f88b4646 (HEAD)
Author: Mircea Trofin <mtrofin@chromium.org>
Date:   Wed Jun 28 18:14:44 2017 -0700

    [wasm] Disabling wasm-opts
    
    It appears we actually get a compile time boost, and sometimes a
    runtime boost, at the cost of some reloc info growth.
    
    Bug:
    Change-Id: I1d1dc48f364e6611f895ebd00f86451199dd8626
    Reviewed-on: https://chromium-review.googlesource.com/544713
    Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
    Reviewed-by: Brad Nelson <bradnelson@chromium.org>
    Reviewed-by: Ben Titzer <titzer@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#46302}
Project Member

Comment 3 by bugdroid1@chromium.org, Aug 28 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/7e8ae6a8f483644bc80ae6f5127cd4327e603d01

commit 7e8ae6a8f483644bc80ae6f5127cd4327e603d01
Author: Mircea Trofin <mtrofin@chromium.org>
Date: Mon Aug 28 23:05:14 2017

[regalloc] Validator: handle aliasing first class.

The validator was trying to finalize virtual register assignments in
phi cases, however, since phis may create aliases, we ended up with
an unnecessarily complex design that was the source of pretty much all
validator bugs since its introduction.

This change embraces the fact that phis may create aliases: pending
assessments (==phis) carry a bag of aliased virtual registers. 

Bug:  chromium:758778 
Change-Id: Ib7ded350a726fbc77e9d0ff3eeda7f00acc4de13
Reviewed-on: https://chromium-review.googlesource.com/639530
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47657}
[modify] https://crrev.com/7e8ae6a8f483644bc80ae6f5127cd4327e603d01/src/compiler/register-allocator-verifier.cc
[modify] https://crrev.com/7e8ae6a8f483644bc80ae6f5127cd4327e603d01/src/compiler/register-allocator-verifier.h

Project Member

Comment 4 by ClusterFuzz, Aug 30 2017

ClusterFuzz has detected this issue as fixed in range 498073:498087.

Detailed report: https://clusterfuzz.com/testcase?key=5860644401446912

Fuzzer: libFuzzer_v8_wasm_code_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  (old) != nullptr in register-allocator-verifier.cc
  v8::internal::compiler::RegisterAllocatorVerifier::ValidateFinalAssessment
  v8::internal::compiler::RegisterAllocatorVerifier::ValidatePendingAssessment
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=483315:483373
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=498073:498087

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5860644401446912

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Aug 30 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5860644401446912 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment