DCHECK failure in is_used(reg) in liftoff-assembler.h |
|||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5097133477462016 Fuzzer: binaryen_wasm_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: is_used(reg) in liftoff-assembler.h v8::internal::wasm::LiftoffAssembler::CacheState::dec_used v8::internal::wasm::LiftoffAssembler::Spill Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=52986:52987 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5097133477462016 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 19 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/5d11921320c090d4efc674367155a955903af373 ([Liftoff] Stage Liftoff and tier up behind --future). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jun 19 2018
,
Jun 21 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5882955910873088.
,
Jun 21 2018
Detailed report: https://clusterfuzz.com/testcase?key=5882955910873088 Job Type: linux_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: is_used(reg) in liftoff-assembler.h Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=52062:52063 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5882955910873088 See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/ada648006b0cee0808ed0dec5d2c2c9145b708a6 commit ada648006b0cee0808ed0dec5d2c2c9145b708a6 Author: Clemens Hammacher <clemensh@chromium.org> Date: Fri Jun 22 15:40:52 2018 [Liftoff] Fix register use count In {SetLocalFromStackSlot}, we decrement the use count of the register in the target slot without updating this slot, and then call {GetUnusedRegister}. At that point, the register use counts do not match the cache state, which leads to errors later on. This CL fixes this by marking the target slot as a stack slot after reducing the register use count. It also adds a Validation which helped to find that error and will catch similar errors earlier. R=titzer@chromium.org Bug: chromium:854050 , v8:6600 Change-Id: I74d3a5aa947ec4247d7b4557567f642bf4082316 Reviewed-on: https://chromium-review.googlesource.com/1111958 Reviewed-by: Ben Titzer <titzer@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#53976} [modify] https://crrev.com/ada648006b0cee0808ed0dec5d2c2c9145b708a6/src/wasm/baseline/liftoff-assembler.cc [modify] https://crrev.com/ada648006b0cee0808ed0dec5d2c2c9145b708a6/src/wasm/baseline/liftoff-assembler.h [modify] https://crrev.com/ada648006b0cee0808ed0dec5d2c2c9145b708a6/src/wasm/baseline/liftoff-compiler.cc [add] https://crrev.com/ada648006b0cee0808ed0dec5d2c2c9145b708a6/test/mjsunit/regress/wasm/regress-854050.js
,
Jun 22 2018
,
Jun 22 2018
After triage, please leave a comment on if the bug can have security implications.
,
Jun 22 2018
No security implications, since Liftoff is off by default (we finch on canary and dev).
,
Jun 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/cf2f6a57b5faee5683a97319d0aacb69f10d7362 commit cf2f6a57b5faee5683a97319d0aacb69f10d7362 Author: Clemens Hammacher <clemensh@chromium.org> Date: Fri Jun 22 16:26:20 2018 Revert "[Liftoff] Fix register use count" This reverts commit ada648006b0cee0808ed0dec5d2c2c9145b708a6. Reason for revert: Failure with slow dchecks: https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux%20-%20debug/20982 Original change's description: > [Liftoff] Fix register use count > > In {SetLocalFromStackSlot}, we decrement the use count of the register > in the target slot without updating this slot, and then call > {GetUnusedRegister}. At that point, the register use counts do not > match the cache state, which leads to errors later on. > This CL fixes this by marking the target slot as a stack slot after > reducing the register use count. > > It also adds a Validation which helped to find that error and will > catch similar errors earlier. > > R=titzer@chromium.org > > Bug: chromium:854050 , v8:6600 > Change-Id: I74d3a5aa947ec4247d7b4557567f642bf4082316 > Reviewed-on: https://chromium-review.googlesource.com/1111958 > Reviewed-by: Ben Titzer <titzer@chromium.org> > Commit-Queue: Clemens Hammacher <clemensh@chromium.org> > Cr-Commit-Position: refs/heads/master@{#53976} TBR=titzer@chromium.org,clemensh@chromium.org Change-Id: I5b8d8d405dcd7f82ee431cba290419425b9859a1 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:854050 , v8:6600 Reviewed-on: https://chromium-review.googlesource.com/1112277 Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#53979} [modify] https://crrev.com/cf2f6a57b5faee5683a97319d0aacb69f10d7362/src/wasm/baseline/liftoff-assembler.cc [modify] https://crrev.com/cf2f6a57b5faee5683a97319d0aacb69f10d7362/src/wasm/baseline/liftoff-assembler.h [modify] https://crrev.com/cf2f6a57b5faee5683a97319d0aacb69f10d7362/src/wasm/baseline/liftoff-compiler.cc [delete] https://crrev.com/aafd5c52ab98608e37284a5a944a4c63045625b9/test/mjsunit/regress/wasm/regress-854050.js
,
Jun 22 2018
Reverted, needs a fix for bots which enable slow dchecks.
,
Jun 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/7f851cd42c1fb2c631346898703273ad07ae72e7 commit 7f851cd42c1fb2c631346898703273ad07ae72e7 Author: Clemens Hammacher <clemensh@chromium.org> Date: Fri Jun 22 17:41:21 2018 Reland "[Liftoff] Fix register use count" This is a reland of ada648006b0cee0808ed0dec5d2c2c9145b708a6, fixed for 32 bit architectures (register pairs). Original change's description: > [Liftoff] Fix register use count > > In {SetLocalFromStackSlot}, we decrement the use count of the register > in the target slot without updating this slot, and then call > {GetUnusedRegister}. At that point, the register use counts do not > match the cache state, which leads to errors later on. > This CL fixes this by marking the target slot as a stack slot after > reducing the register use count. > > It also adds a Validation which helped to find that error and will > catch similar errors earlier. > > R=titzer@chromium.org > > Bug: chromium:854050 , v8:6600 > Change-Id: I74d3a5aa947ec4247d7b4557567f642bf4082316 > Reviewed-on: https://chromium-review.googlesource.com/1111958 > Reviewed-by: Ben Titzer <titzer@chromium.org> > Commit-Queue: Clemens Hammacher <clemensh@chromium.org> > Cr-Commit-Position: refs/heads/master@{#53976} TBR=titzer@chromium.org Bug: chromium:854050 , v8:6600 Change-Id: Ibc8801737e9604a8490382c569b0378585625376 Reviewed-on: https://chromium-review.googlesource.com/1112238 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#53981} [modify] https://crrev.com/7f851cd42c1fb2c631346898703273ad07ae72e7/src/wasm/baseline/liftoff-assembler.cc [modify] https://crrev.com/7f851cd42c1fb2c631346898703273ad07ae72e7/src/wasm/baseline/liftoff-assembler.h [modify] https://crrev.com/7f851cd42c1fb2c631346898703273ad07ae72e7/src/wasm/baseline/liftoff-compiler.cc [add] https://crrev.com/7f851cd42c1fb2c631346898703273ad07ae72e7/test/mjsunit/regress/wasm/regress-854050.js
,
Jun 22 2018
,
Jun 24 2018
ClusterFuzz has detected this issue as fixed in range 53980:53981. Detailed report: https://clusterfuzz.com/testcase?key=5097133477462016 Fuzzer: binaryen_wasm_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: is_used(reg) in liftoff-assembler.h v8::internal::wasm::LiftoffAssembler::CacheState::dec_used v8::internal::wasm::LiftoffAssembler::Spill Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=52986:52987 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=53980:53981 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5097133477462016 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 24 2018
ClusterFuzz has detected this issue as fixed in range 53980:53981. Detailed report: https://clusterfuzz.com/testcase?key=5882955910873088 Job Type: linux_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: is_used(reg) in liftoff-assembler.h Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=52062:52063 Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=53980:53981 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5882955910873088 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 24 2018
ClusterFuzz testcase 5882955910873088 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 26 2018
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ClusterFuzz
, Jun 19 2018Labels: Test-Predator-Auto-Components