New issue
Advanced search Search tips

Issue 804837 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

CHECK failure: LoadElement of kRepFloat64 (NumberOrHole) cannot be changed to kRepTagged in rep

Project Member Reported by ClusterFuzz, Jan 23 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4960312221761536

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  LoadElement of kRepFloat64 (NumberOrHole) cannot be changed to kRepTagged in rep
  v8::internal::compiler::RepresentationChanger::TypeError
  v8::internal::compiler::RepresentationChanger::GetTaggedRepresentationFor
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50780:50781

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4960312221761536

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jan 23 2018

Components: Blink>JavaScript>Compiler
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jan 23 2018

Labels: Test-Predator-Auto-Owner
Owner: sigurds@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/d2681aa448233d0990ea73e500f48a213de77a76 ([turbofan] Widen fast-path of Array.p.reduce[Right]).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Cc: jarin@chromium.org
I guess this needs a TypeGuard to restrict the type to Number.
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 23 2018

Labels: Pri-1
Project Member

Comment 5 by bugdroid1@chromium.org, Jan 23 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a9796a1d27185fdd8dc2c70d45712dc62c35f301

commit a9796a1d27185fdd8dc2c70d45712dc62c35f301
Author: Sigurd Schneider <sigurds@chromium.org>
Date: Tue Jan 23 17:20:17 2018

[turbofan] Fix typer bug in Array.p.reduce[Right]

When finding the initial element in A.p.reduce[Right], we did
exclude holes, but did not reflect this is the type, which still
included the hole. This CL inserts a TypeGuard to ensure that
Turbofan knows the initial element is never the hole.

Bug:  chromium:804837 
Change-Id: Ia118ddafb8e16dd5c02559fa23216c9b139dd59a
Reviewed-on: https://chromium-review.googlesource.com/880967
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50814}
[modify] https://crrev.com/a9796a1d27185fdd8dc2c70d45712dc62c35f301/src/compiler/js-call-reducer.cc
[add] https://crrev.com/a9796a1d27185fdd8dc2c70d45712dc62c35f301/test/mjsunit/regress/regress-804837.js

Comment 6 by mea...@chromium.org, Jan 23 2018

Labels: Security_Impact-Head
Project Member

Comment 7 by ClusterFuzz, Jan 24 2018

ClusterFuzz has detected this issue as fixed in range 50813:50814.

Detailed report: https://clusterfuzz.com/testcase?key=4960312221761536

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  LoadElement of kRepFloat64 (NumberOrHole) cannot be changed to kRepTagged in rep
  v8::internal::compiler::RepresentationChanger::TypeError
  v8::internal::compiler::RepresentationChanger::GetTaggedRepresentationFor
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50780:50781
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50813:50814

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4960312221761536

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Jan 24 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4960312221761536 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 9 by sheriffbot@chromium.org, Feb 8 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 10 by sheriffbot@chromium.org, May 2 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment