V8 correctness failure in configs: x64,fullcode:x64,ignition_staging |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5172268662784000 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: 464 Sanitizer: address (ASAN) Regressed: V8: r42370:42371 Minimized Testcase (0.33 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97-84owOofDGe8KvDY-vI_DV_pAMfFFx6Etc8nxrdH9RTjmPHX4ch7Rrj6OVu5rAO4dX4Jq31LmlNaZekpg4WBctQICysusMwUru35VjkqegveD2pbRBMxHJOMfftlX9kbGTFdwHAiIipeP5ubJhRDCPGaYW20gTAqBJEgHNsjlLlZ6BhNo7jNJTl2yjvodg3l1I1VHbh0ekIuyARsYHxewpeNK5V3ORo_LJs0zOUye1r3Qhoau-3qhk0zg2NURLyR6tfKTPZhDNHsI_IaABFJ6_YYAe-1wSaeErKGmOY26xWqE32ouoeswHYpv6GKi4gL6bs-KBz8rPzv-e4oXIUT9m6ZilulM8kZeLJGEUNZd8sqMHew?testcase_id=5172268662784000 __PrettyPrint = function __PrettyPrint(value) { } assertEquals = function assertEquals(expected, found) { print(found); }; for (var __v_0 = 0; __v_0 < 65000; __v_0++) { } print("v8-foozzie source: /v8/test/mjsunit/compiler/unsigned-min-max.js"); function __f_1(a, b) { a = a >>> 0; return Math.min(a); } assertEquals(1234, __f_1(-2)); Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 18 2017
,
Jan 18 2017
Fix is in flight, will probably land tomorrow.
,
Jan 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/76828375010edaad9504acab15799b0c7f473835 commit 76828375010edaad9504acab15799b0c7f473835 Author: mstarzinger <mstarzinger@chromium.org> Date: Thu Jan 19 09:11:47 2017 [turbofan] Fix translation of uint32 deopt immediates. This makes sure 32-bit constants that are used as {MachineType::Uint32} by the deoptimization translation are also interpreted as such when the literals are collected. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-681983 BUG= chromium:681983 Review-Url: https://codereview.chromium.org/2646463002 Cr-Commit-Position: refs/heads/master@{#42493} [modify] https://crrev.com/76828375010edaad9504acab15799b0c7f473835/src/compiler/code-generator.cc [add] https://crrev.com/76828375010edaad9504acab15799b0c7f473835/test/mjsunit/regress/regress-crbug-681983.js
,
Jan 19 2017
,
Jan 20 2017
ClusterFuzz has detected this issue as fixed in range 42492:42493. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5172268662784000 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: 464 Sanitizer: address (ASAN) Regressed: V8: 42370:42371 Fixed: V8: 42492:42493 Minimized Testcase (0.33 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97-84owOofDGe8KvDY-vI_DV_pAMfFFx6Etc8nxrdH9RTjmPHX4ch7Rrj6OVu5rAO4dX4Jq31LmlNaZekpg4WBctQICysusMwUru35VjkqegveD2pbRBMxHJOMfftlX9kbGTFdwHAiIipeP5ubJhRDCPGaYW20gTAqBJEgHNsjlLlZ6BhNo7jNJTl2yjvodg3l1I1VHbh0ekIuyARsYHxewpeNK5V3ORo_LJs0zOUye1r3Qhoau-3qhk0zg2NURLyR6tfKTPZhDNHsI_IaABFJ6_YYAe-1wSaeErKGmOY26xWqE32ouoeswHYpv6GKi4gL6bs-KBz8rPzv-e4oXIUT9m6ZilulM8kZeLJGEUNZd8sqMHew?testcase_id=5172268662784000 __PrettyPrint = function __PrettyPrint(value) { } assertEquals = function assertEquals(expected, found) { print(found); }; for (var __v_0 = 0; __v_0 < 65000; __v_0++) { } print("v8-foozzie source: /v8/test/mjsunit/compiler/unsigned-min-max.js"); function __f_1(a, b) { a = a >>> 0; return Math.min(a); } assertEquals(1234, __f_1(-2)); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||
►
Sign in to add a comment |
||||
Comment 1 by machenb...@chromium.org
, Jan 18 2017Labels: v8-foozzie-failure
# PTAL! Calling with or without --ignition-staging is enough. Simple repro: for (var __v_0 = 0; __v_0 < 65000; __v_0++) { } function foo(a, b) { a = a >>> 0; return Math.min(a); } print(foo(-2)); # Difference: - 4294967294 + -2