Issue 796495 link

Starred by 2 users

Issue metadata

Status:	Duplicate
Merged:	issue 728979
Owner:	sigurds@chromium.org
Closed:	Dec 2017
Cc:	bmeu...@chromium.org jarin@chromium.org
Components:	Blink>JavaScript Blink>JavaScript>Compiler
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	1
Type:	Bug
Stability-Crash Stability-Memory-AddressSanitizer Clusterfuzz Unreproducible Test-Predator-Auto-Components Test-Predator-Auto-Owner

Stack-overflow in v8::internal::compiler::RepresentationSelector::RunTruncationPropagationPhase

Project Member Reported by ClusterFuzz, Dec 20 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6692448675037184

Fuzzer: inferno_js_fuzzer
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Stack-overflow
Crash Address: 0x00402000
Crash State:
  v8::internal::compiler::RepresentationSelector::RunTruncationPropagationPhase
  v8::internal::compiler::RepresentationSelector::Run
  v8::internal::compiler::SimplifiedLowering::LowerAllNodes
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=50166:50167

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6692448675037184

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Project Member

Comment 1 by ClusterFuzz, Dec 20 2017

Components: Blink>JavaScript>Compiler
Labels: Test-Predator-Auto-Components

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Project Member

Comment 2 by ClusterFuzz, Dec 20 2017

Labels: Test-Predator-Auto-Owner
Owner: sigurds@chromium.org
Status: Assigned (was: Untriaged)

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/0298df882b39e2f2d2e2a5d41917d515accc36e8 ([turbofan] Add feedback to CheckSmi).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 3 by sigurds@chromium.org, Dec 20 2017

jkummerow@ showed me that this issue can be reproduced on linux with the build options from clusterfuzz and after setting ASAN_OPTIONS and stack limit accordingly:

$ export ASAN_OPTIONS="redzone=128:external_symbolizer_path="`pwd`/third_party/llvm-build/Release+Asserts/bin/llvm-symbolizer":symbolize=1:handle_sigill=1:handle_segv=1:use_sigaltstack=1:strict_memcmp=0:allow_user_segv_handler=0:coverage=0:fast_unwind_on_fatal=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:detect_leaks=0:print_scariness=1:allocator_may_return_null=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=0:quarantine_size_mb=100:detect_odr_violation=0:malloc_context_size=128:print_summary=1"

$ ulimit -s 1014

$ out.gn/x86.release.asan/d8  --random-seed=-1665162253 --invoke-weak-callbacks clusterfuzz.js  

Investigating.

Comment 4 by sigurds@chromium.org, Dec 21 2017

Mergedinto: 728979
Status: Duplicate (was: Assigned)

Project Member

Comment 5 by ClusterFuzz, Dec 3

Labels: -Reproducible Unreproducible

ClusterFuzz testcase 6692448675037184 appears to be flaky, updating reproducibility label.

►

Issue 796495 link

Issue metadata

Stack-overflow in v8::internal::compiler::RepresentationSelector::RunTruncationPropagationPhase

Issue description

Comment 1 by ClusterFuzz, Dec 20 2017

Comment 1 Deleted

Comment 2 by ClusterFuzz, Dec 20 2017

Comment 2 Deleted

Comment 3 by sigurds@chromium.org, Dec 20 2017

Comment 3 Deleted

Comment 4 by sigurds@chromium.org, Dec 21 2017

Comment 4 Deleted

Comment 5 by ClusterFuzz, Dec 3

Comment 5 Deleted

Sign in to add a comment