New issue
Advanced search Search tips

Issue 900681 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Today
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Ill in v8::internal::compiler::ArmOperandConverter::ToImmediate

Project Member Reported by ClusterFuzz, Oct 31

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5672467865272320

Fuzzer: binaryen_wasm_fuzzer
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: Ill
Crash Address: 0xf24be6a7
Crash State:
  v8::internal::compiler::ArmOperandConverter::ToImmediate
  v8::internal::compiler::CodeGenerator::AssembleMove
  v8::internal::compiler::CodeGenerator::AssembleMove
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=55026:55027

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5672467865272320

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Oct 31

Components: Blink>JavaScript>Compiler
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Oct 31

Labels: Test-Predator-Auto-Owner
Owner: gdeepti@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/145dd87b9066396e24ecdbac40917e1cf3ff0237 (Add I64Atomic Load/Store ops for ia32).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by gdeepti@chromium.org, Jan 18 (4 days ago)

Components: -Blink>JavaScript -Blink>JavaScript>Compiler Blink>JavaScript>WebAssembly
Project Member

Comment 4 by bugdroid1@chromium.org, Today (12 hours ago)

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/7c64d8837443afd182f9a3d26761091d81ac04fd

commit 7c64d8837443afd182f9a3d26761091d81ac04fd
Author: Deepti Gandluri <gdeepti@chromium.org>
Date: Tue Jan 22 20:11:03 2019

[wasm] Use DefaultLowering for I64Atomic narrow operations

Clusterfuzz generated test cases for narrow Load, CmpExchg nodes in
which the index is a word64 expression. This was not handled correctly
leading to a malformed graph. Use default lowering for all atomic
narrow operations, and add reduced test cases in wasm cctests with the
same sequence as the ones generated by binaryen for other I64Atomic
operations as well.

Change-Id: I50d63747b16a8f69289ca4e76547b325d84b22d3
Bug:  chromium:921366 , chromium:920120,  chromium:900681 
Reviewed-on: https://chromium-review.googlesource.com/c/1423177
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59012}
[modify] https://crrev.com/7c64d8837443afd182f9a3d26761091d81ac04fd/src/compiler/int64-lowering.cc
[modify] https://crrev.com/7c64d8837443afd182f9a3d26761091d81ac04fd/test/cctest/wasm/test-run-wasm-atomics64.cc

Comment 5 by gdeepti@chromium.org, Today (11 hours ago)

Status: Fixed (was: Assigned)

Sign in to add a comment