Issue metadata
Sign in to add a comment
|
CHECK failure: LoadElement of kRepFloat64 (NumberOrHole) cannot be changed to kRepTagged in rep |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4960312221761536 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: LoadElement of kRepFloat64 (NumberOrHole) cannot be changed to kRepTagged in rep v8::internal::compiler::RepresentationChanger::TypeError v8::internal::compiler::RepresentationChanger::GetTaggedRepresentationFor Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50780:50781 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4960312221761536 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 23 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/d2681aa448233d0990ea73e500f48a213de77a76 ([turbofan] Widen fast-path of Array.p.reduce[Right]). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jan 23 2018
I guess this needs a TypeGuard to restrict the type to Number.
,
Jan 23 2018
,
Jan 23 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/a9796a1d27185fdd8dc2c70d45712dc62c35f301 commit a9796a1d27185fdd8dc2c70d45712dc62c35f301 Author: Sigurd Schneider <sigurds@chromium.org> Date: Tue Jan 23 17:20:17 2018 [turbofan] Fix typer bug in Array.p.reduce[Right] When finding the initial element in A.p.reduce[Right], we did exclude holes, but did not reflect this is the type, which still included the hole. This CL inserts a TypeGuard to ensure that Turbofan knows the initial element is never the hole. Bug: chromium:804837 Change-Id: Ia118ddafb8e16dd5c02559fa23216c9b139dd59a Reviewed-on: https://chromium-review.googlesource.com/880967 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#50814} [modify] https://crrev.com/a9796a1d27185fdd8dc2c70d45712dc62c35f301/src/compiler/js-call-reducer.cc [add] https://crrev.com/a9796a1d27185fdd8dc2c70d45712dc62c35f301/test/mjsunit/regress/regress-804837.js
,
Jan 23 2018
,
Jan 24 2018
ClusterFuzz has detected this issue as fixed in range 50813:50814. Detailed report: https://clusterfuzz.com/testcase?key=4960312221761536 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: LoadElement of kRepFloat64 (NumberOrHole) cannot be changed to kRepTagged in rep v8::internal::compiler::RepresentationChanger::TypeError v8::internal::compiler::RepresentationChanger::GetTaggedRepresentationFor Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50780:50781 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50813:50814 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4960312221761536 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 24 2018
ClusterFuzz testcase 4960312221761536 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 8 2018
,
May 2 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jan 23 2018Labels: Test-Predator-Auto-Components