New issue
Advanced search Search tips

Issue 921366 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Today
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Unreachable code in instruction-selector.cc

Project Member Reported by ClusterFuzz, Jan 13

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5657174977806336

Fuzzer: binaryen_wasm_fuzzer
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: Unreachable code
Crash Address: 
Crash State:
  instruction-selector.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=51789:51790

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5657174977806336

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
 
Project Member

Comment 1 by ClusterFuzz, Jan 13

Labels: Test-Predator-Auto-Owner
Owner: gdeepti@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/41ceccc5dba1526deaf670da765de69d73495879 ([wasm] Add I64{Exchange, CompareExchange} ops for x64).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 2 by gdeepti@chromium.org, Jan 18 (4 days ago)

Cc: gdeepti@chromium.org
 Issue 892891  has been merged into this issue.
Project Member

Comment 3 by ClusterFuzz, Jan 18 (4 days ago)

Components: Blink>JavaScript>Compiler
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 4 by gdeepti@chromium.org, Jan 18 (4 days ago)

Components: -Blink>JavaScript -Blink>JavaScript>Compiler Blink>JavaScript>WebAssembly
Project Member

Comment 5 by bugdroid1@chromium.org, Today (10 hours ago)

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/7c64d8837443afd182f9a3d26761091d81ac04fd

commit 7c64d8837443afd182f9a3d26761091d81ac04fd
Author: Deepti Gandluri <gdeepti@chromium.org>
Date: Tue Jan 22 20:11:03 2019

[wasm] Use DefaultLowering for I64Atomic narrow operations

Clusterfuzz generated test cases for narrow Load, CmpExchg nodes in
which the index is a word64 expression. This was not handled correctly
leading to a malformed graph. Use default lowering for all atomic
narrow operations, and add reduced test cases in wasm cctests with the
same sequence as the ones generated by binaryen for other I64Atomic
operations as well.

Change-Id: I50d63747b16a8f69289ca4e76547b325d84b22d3
Bug:  chromium:921366 , chromium:920120,  chromium:900681 
Reviewed-on: https://chromium-review.googlesource.com/c/1423177
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59012}
[modify] https://crrev.com/7c64d8837443afd182f9a3d26761091d81ac04fd/src/compiler/int64-lowering.cc
[modify] https://crrev.com/7c64d8837443afd182f9a3d26761091d81ac04fd/test/cctest/wasm/test-run-wasm-atomics64.cc

Comment 6 by gdeepti@chromium.org, Today (9 hours ago)

Status: Fixed (was: Assigned)

Sign in to add a comment