Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4967059264634880.

Reuploaded with a d8 job for a narrower regression range.

Detailed report: https://clusterfuzz.com/testcase?key=4967059264634880

Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  op->opcode() == IrOpcode::kStateValues || op->opcode() == IrOpcode::kTypedStateV
  v8::internal::compiler::SparseInputMaskOf
  v8::internal::compiler::StateValuesAccess::iterator::iterator
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=51425:51426

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4967059264634880

See https://github.com/google/clusterfuzz-tools for more information.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/fb0144f6f91ba7028819d6c2d3c00eb508254693 ([turbofan] Move Math.* builtins to JSCallReducer).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

@tebbi, could you please take a look, too? Preliminary investigation shows that there is a kDeadValue as input to a FrameState.

This is also happening if the critical comparison is replaced with 

  5 != String.fromCharCode(__v_4)

String.fromCharCode wasn't touched by my CL. I've reuploaded the modfied test-case at 

  https://clusterfuzz.com/v2/testcase-detail/5385707712151552

Detailed report: https://clusterfuzz.com/testcase?key=6219870891671552

Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  op->opcode() == IrOpcode::kStateValues || op->opcode() == IrOpcode::kTypedStateV
  v8::internal::compiler::SparseInputMaskOf
  v8::internal::compiler::StateValuesAccess::iterator::iterator
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6219870891671552

See https://github.com/google/clusterfuzz-tools for more information.

The above repro is not using Math functions.

Further investigation shows that the typer assignes Type::None to a SpeculativeToNumber operation that the transformation introduced by my CL in the regression range introduces.  Type::None causes dead variable elimination to assume the node is dead.

OK here is my understanding of what is happening:

The code contains an application of Math.abs to a function literal, which always deopts.

My CL lowers that Math.abs (or String.fromCharCode, which also expects a number) to a SpeculativeToNumber#228 conversion and the appropriate simplified operator that Math.abs.

Subsequently, the typer figures out that the SpeculativeToNumber can never succeed (as its argument is a function literal) and assignes Type::None. This in turn triggers dead code elimination to turn #228 into dead value, and propagate it down to the first input of FrameState#817.

JSCreateLowering then discovers FrameState#817 and triggers the DCHECK because it does not expect a FrameState to have a dead value input.

What I cannot determine at the moment is why dead code elimination does not propagate kDeadValue further before JSCreateLowering starts reducing.

I'll work with @tebbi to fix this ASAP, but he should lead the investigation.

The problem is that JSCallReducer runs at the same time as DeadCodeElimination and hence observes an incompletely propagated DeadValue in its FrameState input. Possible solutions are:
  - Abort the reduction in this case, because the call node is going to be eliminated anyway.
  - Do not propagate DeadValue over StateValue nodes.
  - Change the graph reducer to propagate DeadValue with higher priority than any other reducer.

To keep the fix simple, I think I'm going for the first option.

Thanks for looking into this, @tebbi!

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/221173eaa222a23041f00f02ad9da812d1027e49

commit 221173eaa222a23041f00f02ad9da812d1027e49
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Thu Mar 08 13:42:02 2018

[turbofan] handle DeadValue in JSCreateArguments lowering

JSCallReducer runs at the same time as DeadCodeElimination and hence can observe an incompletely propagated DeadValue in place of a StateValue node holding the arguments to materialize for JSCreateArguments.
This CL fixes this by aborting the lowring of JSCreateArguments in this case.

Bug:  chromium:819311  v8:7536
Change-Id: I42c4a1923e3dbe470db1a16c5069aaa7c38659ac
Reviewed-on: https://chromium-review.googlesource.com/955306
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51808}
[modify] https://crrev.com/221173eaa222a23041f00f02ad9da812d1027e49/src/compiler/js-create-lowering.cc

ClusterFuzz has detected this issue as fixed in range 51807:51808.

Detailed report: https://clusterfuzz.com/testcase?key=4967059264634880

Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  op->opcode() == IrOpcode::kStateValues || op->opcode() == IrOpcode::kTypedStateV
  v8::internal::compiler::SparseInputMaskOf
  v8::internal::compiler::StateValuesAccess::iterator::iterator
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=51425:51426
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=51807:51808

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4967059264634880

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 542098:542101.

Detailed report: https://clusterfuzz.com/testcase?key=6376266153066496

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Stack-buffer-overflow READ 4
Crash Address: 0x7fea45b56c68
Crash State:
  v8::internal::compiler::SparseInputMask::InputIterator::IsReal
  v8::internal::compiler::StateValuesAccess::iterator::operator*
  v8::internal::compiler::JSCreateLowering::AllocateArguments
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=538367:538368
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=542098:542101

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6376266153066496

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6376266153066496 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Merge approved: branch:3359

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b812e7f3e230ee562501be4f284a0e8878ed8d97

commit b812e7f3e230ee562501be4f284a0e8878ed8d97
Author: Sigurd Schneider <sigurds@chromium.org>
Date: Tue Apr 03 07:32:55 2018

Version 6.6.346.19 (cherry-pick)

Merged 221173eaa222a23041f00f02ad9da812d1027e49

[turbofan] handle DeadValue in JSCreateArguments lowering

R=jarin@chromium.org

Bug:  chromium:819311 , v8:7536
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I76b1c0d067cca47abb92e2f14b516e6414c6a86a
Reviewed-on: https://chromium-review.googlesource.com/991473
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.6@{#37}
Cr-Branched-From: d500271571b92cb18dcd7b15885b51e8f437d640-refs/heads/6.6.346@{#1}
Cr-Branched-From: 265ef0b635f8761df7c89eb4e8ec9c1a6ebee184-refs/heads/master@{#51624}
[modify] https://crrev.com/b812e7f3e230ee562501be4f284a0e8878ed8d97/include/v8-version.h
[modify] https://crrev.com/b812e7f3e230ee562501be4f284a0e8878ed8d97/src/compiler/js-create-lowering.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot