V8 correctness failure in configs: x64,fullcode:x64,ignition_staging |
||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6426328044929024 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: 9ef Sanitizer: address (ASAN) Regressed: V8: r42378:42379 Minimized Testcase (0.28 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97Vf23xbcjnCEEIrwYd6giN4ZKTs9bnWD1mbHj2C3U2xJxNl8cLvYT7XhioqqXWutObT2lzqNcUJ5WDNgMiBKCOPc6vpd6XrNnNhk58hJF2uFjSA4LQVCyRouSnSfTHJPk1UVlUpMnNYwA7H5zJWOcglwetn7BLEhUwFVJy_AOON98MnENAU9wgM14HkIRMhpvSCLeEE3sG4DJ2p1Z7ovkU6F5nfiakWrnobQp3hOvotZ76Tpv322xkv1TXlvQa1jFRkaEyydrv1inHDMf5gFGqn1YGgsenYldMK3l-qi-EoCHK7Blfr81YcvhWI4AvIGibvkx4WuNLkmzhMhnagRv81TJOs4r-fqRC5iylcA__1WLju5o?testcase_id=6426328044929024 switch (typeof value) { case "string": } print("v8-foozzie source: /v8/test/mjsunit/regress/regress-617526.js"); function __f_1() { "use asm"; function __f_0() { var __v_0 = 0; while(2147483648) { } } return {__f_0: __f_0}; } __v_1 = __f_1(); print(__v_1); Issue manually filed by: machenbach See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 17 2017
Started here: https://chromium.googlesource.com/v8/v8/+log/3e4c170bc7f0f8ceb73fee904d83a253b1cb7c99..4f556e9e4b0679a862822f48e05511200194c632?pretty=fuller PTAL
,
Jan 17 2017
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5383218665881600 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: 757 Sanitizer: address (ASAN) Regressed: V8: r42378:42379 Minimized Testcase (0.28 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94JLuNHD1y4yB5HA4PA3utL10hYeXw5UQplbKT_AXykgww5M6bDFktcXKm8FFIyhpFCMOqE0rE8HjbUYgQQmGZVPgtUH7RX8IxwoZEzbTl__BnQXC0J2_Rl97zbnLnWobZIGhT4dOCA1rJNKweEUlwPJKBy2UtCxSq-hEHy-3tf43-mSSIHawo5dfd8BZKM3o2VIz7GhpN3WSQxgCS7gjx3Y8n-9_z4CK_CDExFeloo4MDtdbTQ0ymN37c5ToC4E4ic6JQ7swCvqErvrngCSXuR4XqC7jn381laabU1Lebd-vx7cYC8p6MF4p-G5FKx7h8gFyRTXF-zPKsP488iGVvW9T5Tja0sxGCNMJu6tLQDUmAWMTs?testcase_id=5383218665881600 __PrettyPrint = function __PrettyPrint() { switch (typeof value) { case "string": } } print("v8-foozzie source: /v8/test/mjsunit/compiler/regress-443744.js"); __v_1 = (function() { "use asm"; function __f_0(x) { x = x | 0; } return {__f_0: __f_0}; })(); print(__v_1); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 17 2017
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5336661757263872 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: ac1 Sanitizer: address (ASAN) Regressed: V8: r42378:42379 Minimized Testcase (0.25 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96tbEbsAinrMg16oVwpUKPKuJr-SkLPWk5MLQ9kRctXYEB_7n0aJ3dCkR8C046FgHQyVQZN1t1LSkDxJhyojoEinmJD8xghf8zih5NTpeEJffdb3ayt-8ojeLyXbomlhGJv2HsHScI2RjSaX7TS1PdGXkv-W_mSYO3uJL2TZtIdLNWizER3ZvntH7SfaMGUmVhaeTMY7UmhQXZb-PuAszK2uaXoK5iB8XTRzGn0je5UcsjD3ja2FJiDHELxi3V5MVBQLbklKLi9ww3EiiP6gQDFpt3FN8Y2z8ss_dzWYm0bUpMy1fTd3gUmKTKAC93QFU7LIcc6l87ec2eJDb6aH5KSa31aRxpiPy-QYkeGjxGzIhPonSY?testcase_id=5336661757263872 __PrettyPrint = function __PrettyPrint() { switch (typeof value) { } } print("v8-foozzie source: /v8/test/mjsunit/asm/infinite-loops.js"); function __f_3() { "use asm"; function __f_5(a) { a = a | 0; } return {}; } __v_1 = __f_3(); print(__v_1); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 17 2017
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6447219839598592 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: 8dd Sanitizer: address (ASAN) Regressed: V8: r42378:42379 Minimized Testcase (0.18 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv949aLbiqV1hOoTeG5TedZiGJ_yx4BrTYHUpifizruRTGimqbyC2wrDuVipR24owVYZZAWW_bE8Zzkp7lrldPqH_V15MxSfgZGOWN3_RvmGuOZqxvTaFhk0wLdFlhJ5z5kVBd6gADqTV1F_2dVjvB7_Oe64HRHjFnK8lnLgyy7VYjTOYN_6-0VAuL0W5U-KpSXMmf9NUbZdOxzEZFYZwNJChqXEzBuOzllbm5v3FaxOokTsLzVzR_9eCYHV4P-b90RWXt-McACmXJBdqybHKdLGI4p66plLsregQdvdebolONfsYqW8zVkE_SAFwu2REmtr1EeSwOJB83ucBiFyqoa1bzun_uRa4VtmRTXU7Dpi-UeydyiQ?testcase_id=6447219839598592 switch (typeof value) { } print("v8-foozzie source: /v8/test/mjsunit/regress/regress-crbug-644111.js"); function __f_0() { "use asm"; return {}; } __v_0 = __f_0(); print(__v_0); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 17 2017
This is a bug in the way we use the instance that is created from WASM. In the asm.js case, we are just installing the exported functions directly on the WebAssembly.Instance object that is created, and returning that from AsmJs::InstantiateAsmJs. Instead, we should always create an exports object and install it on the WebAssembly.Instance, returning the exports object from asm.js.
,
Jan 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/c2e8cb195afff01d47ce16f32f17a4a768166035 commit c2e8cb195afff01d47ce16f32f17a4a768166035 Author: machenbach <machenbach@chromium.org> Date: Tue Jan 17 14:18:20 2017 [foozzie] Suppress crbug.com/681806 BUG=chromium:681806 NOTRY=true TBR=titzer@chromium.org,bradnelson@chromium.org Review-Url: https://codereview.chromium.org/2638913002 Cr-Commit-Position: refs/heads/master@{#42410} [modify] https://crrev.com/c2e8cb195afff01d47ce16f32f17a4a768166035/tools/foozzie/v8_suppressions.py
,
Jan 18 2017
,
Jan 18 2017
,
Jan 18 2017
ClusterFuzz has detected this issue as fixed in range 42409:42410. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5383218665881600 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: 757 Sanitizer: address (ASAN) Regressed: V8: r42378:42379 Fixed: V8: r42409:42410 Minimized Testcase (0.28 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94JLuNHD1y4yB5HA4PA3utL10hYeXw5UQplbKT_AXykgww5M6bDFktcXKm8FFIyhpFCMOqE0rE8HjbUYgQQmGZVPgtUH7RX8IxwoZEzbTl__BnQXC0J2_Rl97zbnLnWobZIGhT4dOCA1rJNKweEUlwPJKBy2UtCxSq-hEHy-3tf43-mSSIHawo5dfd8BZKM3o2VIz7GhpN3WSQxgCS7gjx3Y8n-9_z4CK_CDExFeloo4MDtdbTQ0ymN37c5ToC4E4ic6JQ7swCvqErvrngCSXuR4XqC7jn381laabU1Lebd-vx7cYC8p6MF4p-G5FKx7h8gFyRTXF-zPKsP488iGVvW9T5Tja0sxGCNMJu6tLQDUmAWMTs?testcase_id=5383218665881600 __PrettyPrint = function __PrettyPrint() { switch (typeof value) { case "string": } } print("v8-foozzie source: /v8/test/mjsunit/compiler/regress-443744.js"); __v_1 = (function() { "use asm"; function __f_0(x) { x = x | 0; } return {__f_0: __f_0}; })(); print(__v_1); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 18 2017
ClusterFuzz has detected this issue as fixed in range 42409:42410. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6447219839598592 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: 8dd Sanitizer: address (ASAN) Regressed: V8: r42378:42379 Fixed: V8: r42409:42410 Minimized Testcase (0.18 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv949aLbiqV1hOoTeG5TedZiGJ_yx4BrTYHUpifizruRTGimqbyC2wrDuVipR24owVYZZAWW_bE8Zzkp7lrldPqH_V15MxSfgZGOWN3_RvmGuOZqxvTaFhk0wLdFlhJ5z5kVBd6gADqTV1F_2dVjvB7_Oe64HRHjFnK8lnLgyy7VYjTOYN_6-0VAuL0W5U-KpSXMmf9NUbZdOxzEZFYZwNJChqXEzBuOzllbm5v3FaxOokTsLzVzR_9eCYHV4P-b90RWXt-McACmXJBdqybHKdLGI4p66plLsregQdvdebolONfsYqW8zVkE_SAFwu2REmtr1EeSwOJB83ucBiFyqoa1bzun_uRa4VtmRTXU7Dpi-UeydyiQ?testcase_id=6447219839598592 switch (typeof value) { } print("v8-foozzie source: /v8/test/mjsunit/regress/regress-crbug-644111.js"); function __f_0() { "use asm"; return {}; } __v_0 = __f_0(); print(__v_0); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 18 2017
ClusterFuzz has detected this issue as fixed in range 42409:42410. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5336661757263872 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: ac1 Sanitizer: address (ASAN) Regressed: V8: r42378:42379 Fixed: V8: r42409:42410 Minimized Testcase (0.25 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96tbEbsAinrMg16oVwpUKPKuJr-SkLPWk5MLQ9kRctXYEB_7n0aJ3dCkR8C046FgHQyVQZN1t1LSkDxJhyojoEinmJD8xghf8zih5NTpeEJffdb3ayt-8ojeLyXbomlhGJv2HsHScI2RjSaX7TS1PdGXkv-W_mSYO3uJL2TZtIdLNWizER3ZvntH7SfaMGUmVhaeTMY7UmhQXZb-PuAszK2uaXoK5iB8XTRzGn0je5UcsjD3ja2FJiDHELxi3V5MVBQLbklKLi9ww3EiiP6gQDFpt3FN8Y2z8ss_dzWYm0bUpMy1fTd3gUmKTKAC93QFU7LIcc6l87ec2eJDb6aH5KSa31aRxpiPy-QYkeGjxGzIhPonSY?testcase_id=5336661757263872 __PrettyPrint = function __PrettyPrint() { switch (typeof value) { } } print("v8-foozzie source: /v8/test/mjsunit/asm/infinite-loops.js"); function __f_3() { "use asm"; function __f_5(a) { a = a | 0; } return {}; } __v_1 = __f_3(); print(__v_1); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 18 2017
ClusterFuzz has detected this issue as fixed in range 42409:42410. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6426328044929024 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: 9ef Sanitizer: address (ASAN) Regressed: V8: r42378:42379 Fixed: V8: r42409:42410 Minimized Testcase (0.28 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97Vf23xbcjnCEEIrwYd6giN4ZKTs9bnWD1mbHj2C3U2xJxNl8cLvYT7XhioqqXWutObT2lzqNcUJ5WDNgMiBKCOPc6vpd6XrNnNhk58hJF2uFjSA4LQVCyRouSnSfTHJPk1UVlUpMnNYwA7H5zJWOcglwetn7BLEhUwFVJy_AOON98MnENAU9wgM14HkIRMhpvSCLeEE3sG4DJ2p1Z7ovkU6F5nfiakWrnobQp3hOvotZ76Tpv322xkv1TXlvQa1jFRkaEyydrv1inHDMf5gFGqn1YGgsenYldMK3l-qi-EoCHK7Blfr81YcvhWI4AvIGibvkx4WuNLkmzhMhnagRv81TJOs4r-fqRC5iylcA__1WLju5o?testcase_id=6426328044929024 switch (typeof value) { case "string": } print("v8-foozzie source: /v8/test/mjsunit/regress/regress-617526.js"); function __f_1() { "use asm"; function __f_0() { var __v_0 = 0; while(2147483648) { } } return {__f_0: __f_0}; } __v_1 = __f_1(); print(__v_1); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 18 2017
ClusterFuzz testcase 5336661757263872 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/761f373b520d201848c0ef6b209039bf12d4eded commit 761f373b520d201848c0ef6b209039bf12d4eded Author: machenbach <machenbach@chromium.org> Date: Wed Jan 18 14:53:49 2017 [foozzie] Use stronger suppression for crbug.com/681806 BUG=chromium:681806 NOTRY=true TBR=bradnelson@chromium.org Review-Url: https://codereview.chromium.org/2644573002 Cr-Commit-Position: refs/heads/master@{#42462} [modify] https://crrev.com/761f373b520d201848c0ef6b209039bf12d4eded/tools/foozzie/v8_suppressions.py
,
Jan 18 2017
,
Jan 24 2017
,
Jan 29 2017
Issue 686512 has been merged into this issue.
,
Mar 6 2017
Issue 698204 has been merged into this issue.
,
Mar 9 2017
Issue 699866 has been merged into this issue.
,
Mar 21 2017
Issue 703020 has been merged into this issue.
,
Apr 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/1dfcc4b6876d866e803b0a0af05bd27418443cbe commit 1dfcc4b6876d866e803b0a0af05bd27418443cbe Author: Michael Achenbach <machenbach@chromium.org> Date: Thu Apr 27 14:49:13 2017 [foozzie] Remove obsolete suppressions Most of these suppressions were for the old asm-validator or for the old compiler pipeline. Some more are just optimistically removed. Bug: chromium:681088 , chromium:681241 , chromium:681806, chromium:662840 NOTRY=true Change-Id: I4c6851a72d22070026eeaca90ad3394cfce10f90 Reviewed-on: https://chromium-review.googlesource.com/488641 Commit-Queue: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#44942} [modify] https://crrev.com/1dfcc4b6876d866e803b0a0af05bd27418443cbe/tools/foozzie/v8_foozzie_test.py [modify] https://crrev.com/1dfcc4b6876d866e803b0a0af05bd27418443cbe/tools/foozzie/v8_suppressions.py
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by machenb...@chromium.org
, Jan 17 2017Components: -Blink>JavaScript Blink>JavaScript>WebAssembly
Labels: v8-foozzie-failure
Owner: titzer@chromium.org
Status: Assigned (was: Untriaged)
// PTAL. Simple repro: print((function () { "use asm"; return {}; })()) // Difference: - [object Object] + [object WebAssembly.Instance]