Breakpoint in v8::internal::Invoke |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5747907033825280 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: Breakpoint Crash Address: 0xcba3d880 Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::Script::Run Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5747907033825280 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 27 2017
,
Nov 27 2017
,
Nov 27 2017
Issue 786691 has been merged into this issue.
,
Nov 29 2017
ClusterFuzz has detected this issue as fixed in range 49666:49667. Detailed report: https://clusterfuzz.com/testcase?key=5747907033825280 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: Breakpoint Crash Address: 0xcba3d880 Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::Script::Run Sanitizer: address (ASAN) Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=49666:49667 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5747907033825280 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 29 2017
ClusterFuzz testcase 5747907033825280 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/2290ad8b55cf683110b45dea4dce098c3e12dd75 commit 2290ad8b55cf683110b45dea4dce098c3e12dd75 Author: Tobias Tebbi <tebbi@chromium.org> Date: Wed Dec 06 09:16:58 2017 [turbofan] do not remove speculative Number operations when they can deopt We cannot remove a speculative operation when it's type relies on it to deopt. Fix this by only relying on the lowering to remove operations. Bug: chromium:786521 Change-Id: I2cf45e8d45b76cfeb06e6329f323cade74719124 Reviewed-on: https://chromium-review.googlesource.com/793043 Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#49882} [modify] https://crrev.com/2290ad8b55cf683110b45dea4dce098c3e12dd75/src/compiler/simplified-lowering.cc [add] https://crrev.com/2290ad8b55cf683110b45dea4dce098c3e12dd75/test/mjsunit/compiler/regress-786521.js
,
Dec 6 2017
The root cause is only fixed by this commit (https://chromium-review.googlesource.com/793043). This can lead to optimized code computing wrong Javascript values, i.e. it can be possible that we speculatively constant-fold and remove a deopt point, so we continue to compute the speculated value even when the actual inputs violate the assumptions. However, this is rather unlikely and requires static information to contradict collected feedback. |
||||
►
Sign in to add a comment |
||||
Comment 1 by titzer@chromium.org
, Nov 22 2017Status: Assigned (was: Untriaged)
Seems like a TurboFan issue. I further minimized this bug to: var __v_13 = ""; function __f_1() { -__v_13; } __f_1(); %OptimizeFunctionOnNextCall(__f_1); __f_1();