DCHECK failure in block->predecessors().empty() || block->successors().empty() in unwinding-info-w |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6268931192651776 Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: block->predecessors().empty() || block->successors().empty() in unwinding-info-w v8::internal::compiler::CodeGenerator::AssembleCode Run Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=57581:57582 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6268931192651776 Issue manually filed by: clemensh See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 11
No security implications, as this requires --prof-perf.
,
Dec 11
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Dec 11
,
Dec 12
Looking at this now. I think loop rotation now invalidates the assumption made in the unwinding info rewriter, since loop rotation on a function that only has a loop in it may actually change the entrypoint block.
,
Jan 9
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/49a526ace992861e1a64c09b6fc625a48f4e56fe commit 49a526ace992861e1a64c09b6fc625a48f4e56fe Author: Ben L. Titzer <titzer@chromium.org> Date: Wed Jan 09 15:52:08 2019 Remove invalid DCHECKS in unwinding-info-writer The unwinding info writer was assuming that a block that had no initial state must be the start or end block. It was trying to check if the block was the start or end by asserting that the block had either no predecessors or no successors. Loop rotation breaks this assumption, since it can move a block from inside a loop to before the loop header, and the block can then be the "start" block. But since such a block has both predecessor(s) and a successor, the check was wrong. R=clemensh@chromium.org BUG= chromium:913844 Change-Id: Ic24c67a822d510cb082f25608089d313c3459be8 Reviewed-on: https://chromium-review.googlesource.com/c/1373770 Commit-Queue: Ben Titzer <titzer@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#58675} [modify] https://crrev.com/49a526ace992861e1a64c09b6fc625a48f4e56fe/src/compiler/backend/arm/unwinding-info-writer-arm.cc [modify] https://crrev.com/49a526ace992861e1a64c09b6fc625a48f4e56fe/src/compiler/backend/arm64/unwinding-info-writer-arm64.cc [modify] https://crrev.com/49a526ace992861e1a64c09b6fc625a48f4e56fe/src/compiler/backend/x64/unwinding-info-writer-x64.cc [modify] https://crrev.com/49a526ace992861e1a64c09b6fc625a48f4e56fe/test/mjsunit/mjsunit.status [add] https://crrev.com/49a526ace992861e1a64c09b6fc625a48f4e56fe/test/mjsunit/regress/regress-913844.js
,
Jan 9
,
Jan 10
ClusterFuzz has detected this issue as fixed in range 58674:58675. Detailed report: https://clusterfuzz.com/testcase?key=6268931192651776 Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: block->predecessors().empty() || block->successors().empty() in unwinding-info-w v8::internal::compiler::CodeGenerator::AssembleCode Run Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=57581:57582 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=58674:58675 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6268931192651776 See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 10
ClusterFuzz testcase 6268931192651776 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 14
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f726d7f0c48d6e5f2024e1ec8289da735e62c041 commit f726d7f0c48d6e5f2024e1ec8289da735e62c041 Author: Ben L. Titzer <titzer@chromium.org> Date: Mon Jan 14 15:26:16 2019 [mjsunit] Dont generate dumps from regression test The --perf-prof flag generates unwanted .dump files, while the --perf-prof-unwinding-info flag enables the functionality under test here. R=jgruber@chromium.org BUG= chromium:913844 Change-Id: Ie5ee374977d6105854f42065600dac1bc5ba6df7 Reviewed-on: https://chromium-review.googlesource.com/c/1409363 Commit-Queue: Ben Titzer <titzer@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#58791} [modify] https://crrev.com/f726d7f0c48d6e5f2024e1ec8289da735e62c041/test/mjsunit/regress/regress-913844.js |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by clemensh@chromium.org
, Dec 11Labels: Pri-1
Owner: titzer@chromium.org
Status: Assigned (was: Untriaged)