New issue
Advanced search Search tips

Issue 797596 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Dec 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

DCHECK failure in IrOpcode::kMerge == control->opcode() in node-properties.cc

Project Member Reported by ClusterFuzz, Dec 26 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6142269672652800

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  IrOpcode::kMerge == control->opcode() in node-properties.cc
  v8::internal::compiler::NodeProperties::InferReceiverMaps
  v8::internal::compiler::JSNativeContextSpecialization::InferReceiverMaps
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50283:50284

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6142269672652800

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Dec 26 2017

Components: Blink>JavaScript>Compiler
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Dec 26 2017

Labels: Test-Predator-Auto-Owner
Owner: ca...@igalia.com
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/dcd60e8c554690aa884347762132b1e8a27da0fc ([turbofan] Reduce ArrayIteratorNext based on instance type).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 3 by ca...@igalia.com, Dec 26 2017

Cc: bmeu...@chromium.org
Owner: caitp@chromium.org
I thought this DCHECK seemed suspicious :) Benedikt, is there another control op that can reasonably be expected here (Like Start)?

Comment 4 by caitp@chromium.org, Dec 26 2017

i guess in this case its Dead, and I didn’t re-add the dead handling from the first patchset. I’ll send a patch tomorrow
Project Member

Comment 5 by sheriffbot@chromium.org, Dec 26 2017

Labels: Pri-1
It's Dead. Yeah we need to handle that as well, as it can indeed appear depending on the visitation order. Here's a sort of minimized repro:

========================================================================
// Flags: --allow-natives-syntax --expose-gc

var assertSame;
function bar() {
  var o = {
    func(x) {
      return 'func';
    }
  };
  gc();
  function baz() {
    const args = [11];
    try {
      Object.defineProperty(o, o.func(), {get: function() {}});
    } catch (e) {
    }
    for (let i = 0; i < args.length; ++i) {
      try {
        assertSame(args[i]);
      } catch (e) {
      }
    }
  }
  function foo() {
    try { baz(); } catch (e) { }
  }
  foo();
  %OptimizeFunctionOnNextCall(foo);
  foo();
}
bar();
bar();
========================================================================

You might be able to construct a simpler repro yourself.
Project Member

Comment 7 by bugdroid1@chromium.org, Dec 27 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/007f90ba9b331e4d3a8186799b098bec9b521b0a

commit 007f90ba9b331e4d3a8186799b098bec9b521b0a
Author: Caitlin Potter <caitp@igalia.com>
Date: Wed Dec 27 22:14:41 2017

[turbofan] handle dead effect-phi control op in InferReceiverMaps

Add an early exit if the control op is Dead to prevent failing the
DCHECK.

BUG= chromium:797596 , v8:5940,  v8:3018 
R=bmeurer@chromium.org, jarin@chromium.org

Change-Id: I6090380ea69c3205740b6c7a41d7c066d18d6a9f
Reviewed-on: https://chromium-review.googlesource.com/844978
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50312}
[modify] https://crrev.com/007f90ba9b331e4d3a8186799b098bec9b521b0a/src/compiler/node-properties.cc
[add] https://crrev.com/007f90ba9b331e4d3a8186799b098bec9b521b0a/test/mjsunit/compiler/regress-797596.js

Project Member

Comment 8 by ClusterFuzz, Dec 28 2017

ClusterFuzz has detected this issue as fixed in range 50311:50312.

Detailed report: https://clusterfuzz.com/testcase?key=6142269672652800

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  IrOpcode::kMerge == control->opcode() in node-properties.cc
  v8::internal::compiler::NodeProperties::InferReceiverMaps
  v8::internal::compiler::JSNativeContextSpecialization::InferReceiverMaps
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50283:50284
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50311:50312

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6142269672652800

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Dec 28 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6142269672652800 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by sheriffbot@chromium.org, Dec 28 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 11 by sheriffbot@chromium.org, Apr 5 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment