New issue
Advanced search Search tips

Issue 798938 link

Starred by 1 user
Status: Verified
Owner:
tebbi@chromium.org
Closed: Jan 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Breakpoint in v8::internal::Invoke

Project Member Reported by ClusterFuzz, Jan 4 2018 
Detailed report: https://clusterfuzz.com/testcase?key=6217958337806336

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Breakpoint
Crash Address: 0x45af2080
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=50339:50340

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6217958337806336

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Jan 4 2018

Labels: Test-Predator-Auto-Owner
Owner: tebbi@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/8de3a3bcf9d3e59afdcbf7309561c5f09e27ceae ([turbofan] add value input to DeadValue).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 2 by bugdroid1@chromium.org, Jan 4 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9e2d001e864e94059d4f7763fec1752dc3eb4330

commit 9e2d001e864e94059d4f7763fec1752dc3eb4330
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Thu Jan 04 11:25:41 2018

Revert "[turbofan] add value input to DeadValue" and "[turbofan] add regression test for chromium:796041"

This reverts
https://chromium-review.googlesource.com/c/v8/v8/+/848995
and
https://chromium-review.googlesource.com/c/v8/v8/+/847011

Bug:  chromium:798938 
Change-Id: I4be8e5bca77037a278fd9882f0d76de1ae12c23f
TBR: jarin@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/849995
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50356}
[modify] https://crrev.com/9e2d001e864e94059d4f7763fec1752dc3eb4330/src/compiler/common-operator.cc
[modify] https://crrev.com/9e2d001e864e94059d4f7763fec1752dc3eb4330/src/compiler/common-operator.h
[modify] https://crrev.com/9e2d001e864e94059d4f7763fec1752dc3eb4330/src/compiler/dead-code-elimination.cc
[modify] https://crrev.com/9e2d001e864e94059d4f7763fec1752dc3eb4330/src/compiler/dead-code-elimination.h
[modify] https://crrev.com/9e2d001e864e94059d4f7763fec1752dc3eb4330/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/9e2d001e864e94059d4f7763fec1752dc3eb4330/src/compiler/instruction-selector-impl.h
[modify] https://crrev.com/9e2d001e864e94059d4f7763fec1752dc3eb4330/src/compiler/instruction-selector.cc
[modify] https://crrev.com/9e2d001e864e94059d4f7763fec1752dc3eb4330/src/compiler/instruction-selector.h
[modify] https://crrev.com/9e2d001e864e94059d4f7763fec1752dc3eb4330/src/compiler/js-graph.cc
[modify] https://crrev.com/9e2d001e864e94059d4f7763fec1752dc3eb4330/src/compiler/js-graph.h
[modify] https://crrev.com/9e2d001e864e94059d4f7763fec1752dc3eb4330/src/compiler/representation-change.cc
[modify] https://crrev.com/9e2d001e864e94059d4f7763fec1752dc3eb4330/src/compiler/typer.cc
[modify] https://crrev.com/9e2d001e864e94059d4f7763fec1752dc3eb4330/src/compiler/verifier.cc
[delete] https://crrev.com/4b107b9ec9bd43f0103d1365e70ace60c3b86638/test/mjsunit/compiler/regress-796041.js
Project Member

Comment 3 by bugdroid1@chromium.org, Jan 4 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6328c56570baea725a342ce460aa16ddf04df247

commit 6328c56570baea725a342ce460aa16ddf04df247
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Thu Jan 04 13:15:06 2018

Reland "[turbofan] add value input to DeadValue"

DeadValue was a constant node of type None. This is unsound in the
presence of re-scheduling. This CL adds a value input to DeadValue,
which preserves the dependency on the original node of type None.

This reland addresses the bug that the EffectControlLinearizer could destroy dependencies of DeadValue by attaching DeadValue nodes to the effect chain in the EffectControlLinearizer.

Bug:  chromium:796041   chromium:798938 
Change-Id: If47b54a7986d257eb63b437f855769b503679ff5
Reviewed-on: https://chromium-review.googlesource.com/850392
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50360}
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/common-operator.cc
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/common-operator.h
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/dead-code-elimination.cc
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/dead-code-elimination.h
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/effect-control-linearizer.h
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/graph-assembler.cc
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/graph-assembler.h
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/instruction-selector-impl.h
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/instruction-selector.cc
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/instruction-selector.h
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/js-graph.cc
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/js-graph.h
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/representation-change.cc
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/typer.cc
[modify] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/src/compiler/verifier.cc
[add] https://crrev.com/6328c56570baea725a342ce460aa16ddf04df247/test/mjsunit/compiler/regress-796041.js
Project Member

Comment 4 by ClusterFuzz, Jan 5 2018 

ClusterFuzz has detected this issue as fixed in range 50355:50356.

Detailed report: https://clusterfuzz.com/testcase?key=6217958337806336

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Breakpoint
Crash Address: 0x45af2080
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=50339:50340
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=50355:50356

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6217958337806336

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Jan 5 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6217958337806336 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment