Issue 758983 link

Starred by 3 users

Issue metadata

Status:	Fixed
Owner:	jarin@chromium.org
Closed:	Aug 2017
Cc:	bmeu...@chromium.org ahaas@chromium.org rmcilroy@chromium.org jarin@chromium.org
Components:	Blink>JavaScript>Compiler
EstimatedDays:	----
NextAction:	----
OS:	Linux , Windows
Pri:	1
Type:	Bug-Regression
Stability-Crash Arch-x86_64 M-60 Via-Wizard-Javascript

Pages that were working in 59 crash Chrome 60 (geogebra.org applets)

Reported by mich...@geogebra.at, Aug 25 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.59 Safari/537.36

Steps to reproduce the problem:
This page crashes Chrome ("Aw, snap") immediately
https://www.geogebra.org/m/zVZm4KwY

This page crashes Chrome after the animation has run for a few seconds
https://www.geogebra.org/m/teaJZpR3

What is the expected behavior?
Both pages should display interactive applets

What went wrong?
"Aw, snap" error

Did this work before? Yes Chrome 59

Chrome version: 61.0.3163.59  Channel: beta
OS Version: 10.0
Flash Version: Shockwave Flash 26.0 r0

No problems in IE11, Edge, Firefox

Comment 1 by schenney@chromium.org, Aug 25 2017

Components: -Blink Blink>JavaScript
Status: Untriaged (was: Unconfirmed)

Debug stack trace:

#
# Fatal error in ../../v8/src/compiler/representation-change.cc, line 1055
# RepresentationChangerError: node #2521:ConvertTaggedHoleToUndefined of kRepFloat64 (NonInternal) cannot be changed to kRepTagged
#
#0 0x7f09cb79b2cd base::debug::StackTrace::StackTrace()
#1 0x7f09cb79969c base::debug::StackTrace::StackTrace()
#2 0x7f09bcf4ac47 gin::(anonymous namespace)::PrintStackTrace()
#3 0x7f09adafbc6c V8_Fatal()
#4 0x7f09bc6a9acb v8::internal::compiler::RepresentationChanger::TypeError()
#5 0x7f09bc6d1fc1 v8::internal::compiler::RepresentationSelector::ConvertInput()
#6 0x7f09bc6ce9f0 v8::internal::compiler::RepresentationSelector::VisitPhi()
#7 0x7f09bc6c4ca9 v8::internal::compiler::RepresentationSelector::VisitNode()
#8 0x7f09bc6be29c v8::internal::compiler::RepresentationSelector::Run()
#9 0x7f09bc6bdbd8 v8::internal::compiler::SimplifiedLowering::LowerAllNodes()
#10 0x7f09bc6887a0 v8::internal::compiler::PipelineImpl::Run<>()
#11 0x7f09bc685be0 v8::internal::compiler::PipelineImpl::OptimizeGraph()
#12 0x7f09bc685920 v8::internal::compiler::PipelineCompilationJob::ExecuteJobImpl()
#13 0x7f09bc55de31 v8::internal::CompilationJob::ExecuteJob()
#14 0x7f09bc559171 v8::internal::OptimizingCompileDispatcher::CompileNext()
#15 0x7f09bc55a309 v8::internal::OptimizingCompileDispatcher::CompileTask::Run()
#16 0x7f09bcf39b7d _ZN4base8internal13FunctorTraitsIMNS_5TimerEFvvEvE6InvokeIPS2_JEEEvS4_OT_DpOT0_
#17 0x7f09bcf39ac4 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMNS_5TimerEFvvEJPS4_EEEvOT_DpOT0_
#18 0x7f09bcf51df5 _ZN4base8internal7InvokerINS0_9BindStateIMN2v84TaskEFvvEJNS0_12OwnedWrapperIS4_EEEEEFvvEE7RunImplIRKS6_RKNSt3__15tupleIJS8_EEEJLm0EEEEvOT_OT0_NSF_16integer_sequenceImJXspT1_EEEE
#19 0x7f09bcf51d3c _ZN4base8internal7InvokerINS0_9BindStateIMN2v84TaskEFvvEJNS0_12OwnedWrapperIS4_EEEEEFvvEE3RunEPNS0_13BindStateBaseE
#20 0x7f09cb746761 _ZNO4base8CallbackIFvvELNS_8internal8CopyModeE0ELNS2_10RepeatModeE0EE3RunEv
#21 0x7f09cb79ff17 base::debug::TaskAnnotator::RunTask()
#22 0x7f09cb9a6ab3 base::internal::TaskTracker::PerformRunTask()
#23 0x7f09cb9a8ae6 base::internal::TaskTrackerPosix::PerformRunTask()
#24 0x7f09cb9a52d3 base::internal::TaskTracker::RunNextTask()
#25 0x7f09cb993f86 base::internal::SchedulerWorker::Thread::ThreadMain()
#26 0x7f09cb9b4c21 base::(anonymous namespace)::ThreadFunc()
#27 0x7f09cbdec184 start_thread
#28 0x7f09b2a25ffd clone
Received signal 4 ILL_ILLOPN 7f09adafe852
#0 0x7f09cb79b2cd base::debug::StackTrace::StackTrace()
#1 0x7f09cb79969c base::debug::StackTrace::StackTrace()
#2 0x7f09cb79ac85 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7f09cbdf4330 <unknown>
#4 0x7f09adafe852 v8::base::OS::Abort()
#5 0x7f09bc6a9acb v8::internal::compiler::RepresentationChanger::TypeError()
#6 0x7f09bc6d1fc1 v8::internal::compiler::RepresentationSelector::ConvertInput()
#7 0x7f09bc6ce9f0 v8::internal::compiler::RepresentationSelector::VisitPhi()
#8 0x7f09bc6c4ca9 v8::internal::compiler::RepresentationSelector::VisitNode()
#9 0x7f09bc6be29c v8::internal::compiler::RepresentationSelector::Run()
#10 0x7f09bc6bdbd8 v8::internal::compiler::SimplifiedLowering::LowerAllNodes()
#11 0x7f09bc6887a0 v8::internal::compiler::PipelineImpl::Run<>()
#12 0x7f09bc685be0 v8::internal::compiler::PipelineImpl::OptimizeGraph()
#13 0x7f09bc685920 v8::internal::compiler::PipelineCompilationJob::ExecuteJobImpl()
#14 0x7f09bc55de31 v8::internal::CompilationJob::ExecuteJob()
#15 0x7f09bc559171 v8::internal::OptimizingCompileDispatcher::CompileNext()
#16 0x7f09bc55a309 v8::internal::OptimizingCompileDispatcher::CompileTask::Run()
#17 0x7f09bcf39b7d _ZN4base8internal13FunctorTraitsIMNS_5TimerEFvvEvE6InvokeIPS2_JEEEvS4_OT_DpOT0_
#18 0x7f09bcf39ac4 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMNS_5TimerEFvvEJPS4_EEEvOT_DpOT0_
#19 0x7f09bcf51df5 _ZN4base8internal7InvokerINS0_9BindStateIMN2v84TaskEFvvEJNS0_12OwnedWrapperIS4_EEEEEFvvEE7RunImplIRKS6_RKNSt3__15tupleIJS8_EEEJLm0EEEEvOT_OT0_NSF_16integer_sequenceImJXspT1_EEEE
#20 0x7f09bcf51d3c _ZN4base8internal7InvokerINS0_9BindStateIMN2v84TaskEFvvEJNS0_12OwnedWrapperIS4_EEEEEFvvEE3RunEPNS0_13BindStateBaseE
#21 0x7f09cb746761 _ZNO4base8CallbackIFvvELNS_8internal8CopyModeE0ELNS2_10RepeatModeE0EE3RunEv
#22 0x7f09cb79ff17 base::debug::TaskAnnotator::RunTask()
#23 0x7f09cb9a6ab3 base::internal::TaskTracker::PerformRunTask()
#24 0x7f09cb9a8ae6 base::internal::TaskTrackerPosix::PerformRunTask()
#25 0x7f09cb9a52d3 base::internal::TaskTracker::RunNextTask()
#26 0x7f09cb993f86 base::internal::SchedulerWorker::Thread::ThreadMain()
#27 0x7f09cb9b4c21 base::(anonymous namespace)::ThreadFunc()
#28 0x7f09cbdec184 start_thread
#29 0x7f09b2a25ffd clone
  r8: 00007f099ada0700  r9: 00000000000003b1 r10: 0000000000000000 r11: 0000000000000000
 r12: 00007f09b2ceb868 r13: 000000000000000a r14: 00007f09bcd18365 r15: 000000000000041f
  di: 00007f09b2ceb1c0  si: 00007f09b2cec9d0  bp: 00007f099ad9dbe0  bx: 00007f09bcd1816d
  dx: 0000000000000000  ax: 0000000000000000  cx: abf6ff01afa30900  sp: 00007f099ad9dae8
  ip: 00007f09adafe852 efl: 0000000000010202 cgf: 5f00000000000033 erf: 0000000000000000
 trp: 0000000000000006 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]

Comment 2 by hablich@chromium.org, Aug 28 2017

Cc: bmeu...@chromium.org rmcilroy@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>Compiler
Labels: -Pri-2 Stability-Crash OS-Linux Pri-1
Owner: jarin@chromium.org
Status: Assigned (was: Untriaged)

Also repros nicely on https://www.geogebra.org/m/teaJZpR3 and Linux.

Comment 3 by hablich@chromium.org, Aug 28 2017

Cc: ahaas@chromium.org
Labels: M-60

My crash ID: 317a95eecf9e27fd

Comment 4 by jarin@chromium.org, Aug 29 2017

Status: Started (was: Assigned)

Project Member

Comment 5 by bugdroid1@chromium.org, Aug 29 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a529f128a3c3a704773176f26b1238ee61c37b80

commit a529f128a3c3a704773176f26b1238ee61c37b80
Author: Jaroslav Sevcik <jarin@chromium.org>
Date: Tue Aug 29 08:56:07 2017

[turbofan] Retype ConvertTaggedHoleToUndefined in representation selection.

Bug:  chromium:758983 
Change-Id: Iea65c6c6330b4eed0969eee1f8b261e1446771f5
Reviewed-on: https://chromium-review.googlesource.com/640382
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47669}
[modify] https://crrev.com/a529f128a3c3a704773176f26b1238ee61c37b80/src/compiler/operation-typer.cc
[modify] https://crrev.com/a529f128a3c3a704773176f26b1238ee61c37b80/src/compiler/operation-typer.h
[modify] https://crrev.com/a529f128a3c3a704773176f26b1238ee61c37b80/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/a529f128a3c3a704773176f26b1238ee61c37b80/src/compiler/typer.cc
[add] https://crrev.com/a529f128a3c3a704773176f26b1238ee61c37b80/test/mjsunit/compiler/regress-758983.js

Comment 6 by jarin@chromium.org, Aug 29 2017

Status: Fixed (was: Started)

Comment 7 by michael....@gmail.com, Aug 30 2017

Thanks very much for the fast fix!

Confirmed fixed for me in Version 62.0.3200.0 (Official Build) canary (64-bit) on Windows 10

Comment 8 by michael....@gmail.com, Sep 9 2017

Is this fix going to make it into Chrome 61?

I still have the bug in Version 61.0.3163.79 (Official Build) beta (64-bit)

►

Issue 758983 link

Issue metadata

Pages that were working in 59 crash Chrome 60 (geogebra.org applets)

Issue description

Comment 1 by schenney@chromium.org, Aug 25 2017

Comment 1 Deleted

Comment 2 by hablich@chromium.org, Aug 28 2017

Comment 2 Deleted

Comment 3 by hablich@chromium.org, Aug 28 2017

Comment 3 Deleted

Comment 4 by jarin@chromium.org, Aug 29 2017

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Aug 29 2017

Comment 5 Deleted

Comment 6 by jarin@chromium.org, Aug 29 2017

Comment 6 Deleted

Comment 7 by michael....@gmail.com, Aug 30 2017

Comment 7 Deleted

Comment 8 by michael....@gmail.com, Sep 9 2017

Comment 8 Deleted

Sign in to add a comment