Fatal error in ../../src/compiler/representation-change.cc
Reported by
cwhan.t...@gmail.com,
Sep 5 2017
|
||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Steps to reproduce the problem:
```js
function f(x) {
var x0 = (0 != Math.min(1, 1)) && 1 && 2;
1.1!=(x||x0)
};
for (var i = 0; i < 0x10000; i++)
f(1.1);
//%OptimizeFunctionOnNextCall(f);
f(1);
```
What is the expected behavior?
not crash
What went wrong?
Crash with the following error message:
#
# Fatal error in ../../src/compiler/representation-change.cc, line 1059
# RepresentationChangerError: node #46:Phi of kRepFloat64 ((None | Range(1, 2) | HeapConstant(0x218528823f1 <false>))) cannot be changed to kRepTagged
#
crashes in typing may be security issue, so I marked this issue to security. but, i'm not sure if it actually has a security impact or not.
Did this work before? N/A
Chrome version: 60.0.3112.113 Channel: stable
OS Version: 10.0
Flash Version:
,
Sep 5 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5966083512336384.
,
Sep 5 2017
,
Sep 5 2017
,
Sep 5 2017
,
Sep 5 2017
Detailed report: https://clusterfuzz.com/testcase?key=5966083512336384 Job Type: linux_asan_d8_dbg Crash Type: CHECK failure Crash Address: Crash State: Phi of kRepFloat64 ((None | Range(1, 2) | HeapConstant(ADDRESS <false>))) cannot v8::internal::compiler::RepresentationChanger::TypeError v8::internal::compiler::RepresentationChanger::GetTaggedRepresentationFor Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=45086:45087 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5966083512336384 See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 5 2017
Detailed report: https://clusterfuzz.com/testcase?key=5544802920955904 Job Type: linux_asan_d8 Crash Type: CHECK failure Crash Address: Crash State: Phi of kRepFloat64 ((None | Range(1, 2) | HeapConstant(ADDRESS <false>))) cannot v8::internal::compiler::RepresentationChanger::TypeError v8::internal::compiler::RepresentationChanger::GetTaggedRepresentationFor Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=45086:45087 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5544802920955904 See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 5 2017
,
Sep 5 2017
I think the bug does not have security impact because we just fail at runtime if we cannot convert from one representation to another because of the types. (In this case, the types are correct, but the chosen representation is wrong.)
,
Sep 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/4bce2509a8e0d911ae2b965815387ed595fa8ae0 commit 4bce2509a8e0d911ae2b965815387ed595fa8ae0 Author: Jaroslav Sevcik <jarin@chromium.org> Date: Tue Sep 05 14:48:08 2017 [turbofan] Fix truncation for number feedback. Checked number is not automatically truncating to float64. Bug: chromium:761892 Change-Id: I34bd5d7867cd38b2be18cd39a810605603f515e2 Reviewed-on: https://chromium-review.googlesource.com/649513 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#47824} [modify] https://crrev.com/4bce2509a8e0d911ae2b965815387ed595fa8ae0/src/compiler/representation-change.h [add] https://crrev.com/4bce2509a8e0d911ae2b965815387ed595fa8ae0/test/mjsunit/compiler/regress-761892.js
,
Sep 6 2017
ClusterFuzz has detected this issue as fixed in range 47823:47824. Detailed report: https://clusterfuzz.com/testcase?key=5966083512336384 Job Type: linux_asan_d8_dbg Crash Type: CHECK failure Crash Address: Crash State: Phi of kRepFloat64 ((None | Range(1, 2) | HeapConstant(ADDRESS <false>))) cannot v8::internal::compiler::RepresentationChanger::TypeError v8::internal::compiler::RepresentationChanger::GetTaggedRepresentationFor Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=45086:45087 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47823:47824 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5966083512336384 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 6 2017
,
Sep 6 2017
,
Sep 12 2017
ClusterFuzz has detected this issue as fixed in range 47823:47824. Detailed report: https://clusterfuzz.com/testcase?key=5544802920955904 Job Type: linux_asan_d8 Crash Type: CHECK failure Crash Address: Crash State: Phi of kRepFloat64 ((None | Range(1, 2) | HeapConstant(ADDRESS <false>))) cannot v8::internal::compiler::RepresentationChanger::TypeError v8::internal::compiler::RepresentationChanger::GetTaggedRepresentationFor Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=45086:45087 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=47823:47824 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5544802920955904 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 13 2017
ClusterFuzz testcase 5544802920955904 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 14 2017
,
Nov 16 2017
Thanks for the report! The Chrome VRP panel looked at this and concluded that it is indeed not a security bug. Cheers! |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by ClusterFuzz
, Sep 5 2017