New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Nov 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

DCHECK failure in IsTyped(node) in node-properties.h

Project Member Reported by ClusterFuzz, Nov 13 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5420818766233600

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  IsTyped(node) in node-properties.h
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=49327:49328

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5420818766233600

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Nov 13 2017

Labels: Test-Predator-Auto-Owner
Owner: mvstan...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/f010b28fbe3d117519720aa94ca9e56d3b913d1b ([TurboFan] Diagnostic code to track down bug in representation selection).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 2 by est...@chromium.org, Nov 13 2017

Labels: Security_Impact-Head M-64
Status: Fixed (was: Assigned)
Reverted CL that caused it.

commit ebe6d7a97f962c18595a2a1efaa93fa1c5ede604 (HEAD -> master, origin/master, origin/HEAD)
Author: Michael Stanton <mvstanton@chromium.org>
Date:   Tue Nov 14 09:26:37 2017 +0000

    Revert "[TurboFan] Diagnostic code to track down bug in representation selection"
    
    This reverts commit f010b28fbe3d117519720aa94ca9e56d3b913d1b.
    
    Reason for revert: Introduces a clusterfuzz issue and CAnary crash
    
    Original change's description:
    > [TurboFan] Diagnostic code to track down bug in representation selection
    >
    > We need to characterize the types of dead (IrOpcode::kDead) nodes
    > introduced in compilation phases prior to representation selection.
    > Normally, a dead node isn't expected at the start of this phase. The
    > question is, which phase introduced the dead node and failed to
    > deal with it properly?
    >
    > Bug: chromium:780658
    > Change-Id: Ief5b45480bb7d704a2d09dafd60b5d389e0fd42e
    > Reviewed-on: https://chromium-review.googlesource.com/765968
    > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
    > Commit-Queue: Michael Stanton <mvstanton@chromium.org>
    > Cr-Commit-Position: refs/heads/master@{#49328}
    
    TBR=mvstanton@chromium.org,mstarzinger@chromium.org
    
    Change-Id: I5d628eb1de630ce4a353b6ef0f80fd74ad740f17
    No-Presubmit: true
    No-Tree-Checks: true
    No-Try: true
    Bug: chromium:780658
    Reviewed-on: https://chromium-review.googlesource.com/768747
    Reviewed-by: Michael Stanton <mvstanton@chromium.org>
    Commit-Queue: Michael Stanton <mvstanton@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#49347}


Project Member

Comment 4 by sheriffbot@chromium.org, Nov 14 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 5 by ClusterFuzz, Nov 14 2017

Components: Blink>JavaScript>Compiler
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 6 by ClusterFuzz, Nov 15 2017

ClusterFuzz has detected this issue as fixed in range 49346:49347.

Detailed report: https://clusterfuzz.com/testcase?key=5420818766233600

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  IsTyped(node) in node-properties.h
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=49327:49328
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=49346:49347

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5420818766233600

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Nov 15 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5420818766233600 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 8 by sheriffbot@chromium.org, Feb 20

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by sheriffbot@chromium.org, Mar 27

Labels: -Security_Impact-Head -M-64 M-65 Security_Impact-Stable
Project Member

Comment 10 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

Sign in to add a comment