Issue 662915 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 660379
Owner:	----
Closed:	Nov 2016
Cc:	mvstan...@chromium.org rmcilroy@chromium.org mstarzinger@chromium.org
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	1
Type:	Bug
Proj-Ignition v8-foozzie-failure

Blocking:
issue 661510

Difference between default and ignition: uncaught type error

Project Member Reported by machenb...@chromium.org, Nov 7 2016

Issue description

# Minimized program:
a = [];
for (var i = 0; i < 28000; i++) {
  a.push(0);
}
function foo() {
  i();
}
try {
  foo();
} catch(e) {; }
gc();


# Compared default with ignition_staging

# Flags of default:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit  --random-seed -1925140180
# Flags of ignition_staging:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit  --random-seed -1925140180 --ignition-staging

Difference:
Different total output lines: 0 vs. 7

### Start of configuration default:

### End of configuration default

### Start of configuration ignition_staging:
out10_ignition_staging/fuzz-08410.js.minimized:6: TypeError: i is not a function
  i();
  ^
TypeError: i is not a function
    at foo (out10_ignition_staging/fuzz-08410.js.minimized:6:3)
    at out10_ignition_staging/fuzz-08410.js.minimized:9:3


### End of configuration ignition_staging

Comment 1 by machenb...@chromium.org, Nov 7 2016

# Different case with a reference error. Please check if it's the same root cause:
function getRandomProperty(v) {
  var properties = Object.getOwnPropertyNames(v);
  var proto = Object.getPrototypeOf(v);
  if (properties.length == 0) { return "0"; }
  properties[undefined];
}
var a = {};
function foo() {
  getRandomProperty(a)
  a.__defineSetter__(0, function() { });
  return boom();
}
function bar() {
  try {
    foo();
  } catch (e) {
  }
}
bar();
%OptimizeFunctionOnNextCall(bar);
bar();

# Compared default with ignition_staging

# Flags of default:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --gc-interval=446 --no-fold-constants --random-seed -1974816673
# Flags of ignition_staging:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --gc-interval=446 --no-fold-constants --random-seed -1974816673 --ignition-staging

Difference:
Different total output lines: 0 vs. 8

### Start of configuration default:

### End of configuration default

### Start of configuration ignition_staging:
out10_ignition_staging/fuzz-10802.js.minimized:11: ReferenceError: boom is not defined
  return boom();
  ^
ReferenceError: boom is not defined
    at foo (out10_ignition_staging/fuzz-10802.js.minimized:11:3)
    at bar (out10_ignition_staging/fuzz-10802.js.minimized:15:5)
    at out10_ignition_staging/fuzz-10802.js.minimized:21:1


### End of configuration ignition_staging

Comment 2 by machenb...@chromium.org, Nov 7 2016

# Aaand another one. Please check again if same root cause:
for (var __v_12 = 0; __v_12 < 1000000; __v_12++);
function foo() {
  undefined.toString();
}
try {
  foo();
} catch(e) { print("Meh"); }
foo();


# Compared default with ignition_staging

# Flags of default:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit  --random-seed 422463981
# Flags of ignition_staging:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit  --random-seed 422463981 --ignition-staging

Difference:
Different total output lines: 8 vs. 7

### Start of configuration default:
Meh
out10_ignition_staging/fuzz-36380.js.minimized:3: TypeError: Cannot read property 'toString' of undefined
  undefined.toString();
           ^
TypeError: Cannot read property 'toString' of undefined
    at foo (out10_ignition_staging/fuzz-36380.js.minimized:3:12)
    at out10_ignition_staging/fuzz-36380.js.minimized:8:1


### End of configuration default

### Start of configuration ignition_staging:
out10_ignition_staging/fuzz-36380.js.minimized:3: TypeError: Cannot read property 'toString' of undefined
  undefined.toString();
           ^
TypeError: Cannot read property 'toString' of undefined
    at foo (out10_ignition_staging/fuzz-36380.js.minimized:3:12)
    at out10_ignition_staging/fuzz-36380.js.minimized:6:3


### End of configuration ignition_staging

Comment 3 by machenb...@chromium.org, Nov 7 2016

# More:
for (var i = 0; i < 100000; i++) { }
function foo() {
  Object.defineProperty();
}
try {
  foo();
} catch(e) {; }
gc();

Comment 4 by mstarzinger@chromium.org, Nov 7 2016

All most likely the same as  issue 660379 , which I am working on already.

Comment 5 by rmcilroy@chromium.org, Nov 10 2016

Mergedinto: 660379
Status: Duplicate (was: Untriaged)

These look to be fixed now that Michi's fix to 660379 has landed.

Comment 6 by machenb...@chromium.org, Dec 13 2016

Labels: -Restrict-View-Google v8-foozzie-failure

►

Issue 662915 link

Issue metadata

Difference between default and ignition: uncaught type error

Issue description

Comment 1 by machenb...@chromium.org, Nov 7 2016

Comment 1 Deleted

Comment 2 by machenb...@chromium.org, Nov 7 2016

Comment 2 Deleted

Comment 3 by machenb...@chromium.org, Nov 7 2016

Comment 3 Deleted

Comment 4 by mstarzinger@chromium.org, Nov 7 2016

Comment 4 Deleted

Comment 5 by rmcilroy@chromium.org, Nov 10 2016

Comment 5 Deleted

Comment 6 by machenb...@chromium.org, Dec 13 2016

Comment 6 Deleted

Sign in to add a comment