New issue
Advanced search Search tips

Issue 820820 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in type

Project Member Reported by ClusterFuzz, Mar 11 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5643261801398272

Fuzzer: ochang_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000008
Crash State:
  type
  GetType
  v8::internal::compiler::MayAlias
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=51701:51702

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5643261801398272

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Mar 11 2018

Components: Blink>JavaScript>Compiler
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Mar 11 2018

Labels: Test-Predator-Auto-Owner
Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/956ac923e6b39da166aa58237bb679aba4dc1fd5 ([turbofan] Connect non-returning runtime calls to end.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 13 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/022e1a5f940c0b38463d8a19cce5fd19af4777b4

commit 022e1a5f940c0b38463d8a19cce5fd19af4777b4
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Tue Mar 13 06:27:13 2018

[turbofan] Properly deal with killed nodes in LoadElimination.

Depending on visitation order the LoadElimination might be find memoized
nodes in its state tables that were killed by other reducers in the mean
time. The LoadElimination must just ignore those stale entries.

Bug:  chromium:820820 
Change-Id: Ia62e401ff77da547ed215a14074e70aeb5c3a766
Reviewed-on: https://chromium-review.googlesource.com/958843
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51892}
[modify] https://crrev.com/022e1a5f940c0b38463d8a19cce5fd19af4777b4/src/compiler/load-elimination.cc
[modify] https://crrev.com/022e1a5f940c0b38463d8a19cce5fd19af4777b4/src/compiler/load-elimination.h
[add] https://crrev.com/022e1a5f940c0b38463d8a19cce5fd19af4777b4/test/mjsunit/regress/regress-crbug-820820.js

Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Mar 20 2018

Labels: Needs-Feedback
ClusterFuzz testcase 5643261801398272 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

Sign in to add a comment