New issue
Advanced search Search tips

Issue 681983 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

V8 correctness failure in configs: x64,fullcode:x64,ignition_staging

Project Member Reported by ClusterFuzz, Jan 17 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5172268662784000

Fuzzer: foozzie_js_mutation
Job Type: foozzie_ignition_staging
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,fullcode:x64,ignition_staging
  sources: 464
  
Sanitizer: address (ASAN)

Regressed: V8: r42370:42371

Minimized Testcase (0.33 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97-84owOofDGe8KvDY-vI_DV_pAMfFFx6Etc8nxrdH9RTjmPHX4ch7Rrj6OVu5rAO4dX4Jq31LmlNaZekpg4WBctQICysusMwUru35VjkqegveD2pbRBMxHJOMfftlX9kbGTFdwHAiIipeP5ubJhRDCPGaYW20gTAqBJEgHNsjlLlZ6BhNo7jNJTl2yjvodg3l1I1VHbh0ekIuyARsYHxewpeNK5V3ORo_LJs0zOUye1r3Qhoau-3qhk0zg2NURLyR6tfKTPZhDNHsI_IaABFJ6_YYAe-1wSaeErKGmOY26xWqE32ouoeswHYpv6GKi4gL6bs-KBz8rPzv-e4oXIUT9m6ZilulM8kZeLJGEUNZd8sqMHew?testcase_id=5172268662784000
__PrettyPrint = function __PrettyPrint(value) {
}
assertEquals = function assertEquals(expected, found) { print(found); };
for (var __v_0 = 0; __v_0 < 65000; __v_0++) {
}
print("v8-foozzie source: /v8/test/mjsunit/compiler/unsigned-min-max.js");
function __f_1(a, b) {
  a = a >>> 0;
  return Math.min(a);
}
assertEquals(1234, __f_1(-2));


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: jarin@chromium.org rmcilroy@chromium.org mstarzinger@chromium.org
Labels: v8-foozzie-failure
# PTAL! Calling with or without --ignition-staging is enough. Simple repro:

for (var __v_0 = 0; __v_0 < 65000; __v_0++) {
}
function foo(a, b) {
  a = a >>> 0;
  return Math.min(a);
}
print(foo(-2));


# Difference:
- 4294967294
+ -2
Cc: -mstarzinger@chromium.org
Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)
Status: Started (was: Assigned)
Fix is in flight, will probably land tomorrow.
Project Member

Comment 4 by bugdroid1@chromium.org, Jan 19 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/76828375010edaad9504acab15799b0c7f473835

commit 76828375010edaad9504acab15799b0c7f473835
Author: mstarzinger <mstarzinger@chromium.org>
Date: Thu Jan 19 09:11:47 2017

[turbofan] Fix translation of uint32 deopt immediates.

This makes sure 32-bit constants that are used as {MachineType::Uint32}
by the deoptimization translation are also interpreted as such when the
literals are collected.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-681983
BUG= chromium:681983 

Review-Url: https://codereview.chromium.org/2646463002
Cr-Commit-Position: refs/heads/master@{#42493}

[modify] https://crrev.com/76828375010edaad9504acab15799b0c7f473835/src/compiler/code-generator.cc
[add] https://crrev.com/76828375010edaad9504acab15799b0c7f473835/test/mjsunit/regress/regress-crbug-681983.js

Status: Fixed (was: Started)
Project Member

Comment 6 by ClusterFuzz, Jan 20 2017

ClusterFuzz has detected this issue as fixed in range 42492:42493.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5172268662784000

Fuzzer: foozzie_js_mutation
Job Type: foozzie_ignition_staging
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,fullcode:x64,ignition_staging
  sources: 464
  
Sanitizer: address (ASAN)

Regressed: V8: 42370:42371
Fixed: V8: 42492:42493

Minimized Testcase (0.33 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97-84owOofDGe8KvDY-vI_DV_pAMfFFx6Etc8nxrdH9RTjmPHX4ch7Rrj6OVu5rAO4dX4Jq31LmlNaZekpg4WBctQICysusMwUru35VjkqegveD2pbRBMxHJOMfftlX9kbGTFdwHAiIipeP5ubJhRDCPGaYW20gTAqBJEgHNsjlLlZ6BhNo7jNJTl2yjvodg3l1I1VHbh0ekIuyARsYHxewpeNK5V3ORo_LJs0zOUye1r3Qhoau-3qhk0zg2NURLyR6tfKTPZhDNHsI_IaABFJ6_YYAe-1wSaeErKGmOY26xWqE32ouoeswHYpv6GKi4gL6bs-KBz8rPzv-e4oXIUT9m6ZilulM8kZeLJGEUNZd8sqMHew?testcase_id=5172268662784000
__PrettyPrint = function __PrettyPrint(value) {
}
assertEquals = function assertEquals(expected, found) { print(found); };
for (var __v_0 = 0; __v_0 < 65000; __v_0++) {
}
print("v8-foozzie source: /v8/test/mjsunit/compiler/unsigned-min-max.js");
function __f_1(a, b) {
  a = a >>> 0;
  return Math.min(a);
}
assertEquals(1234, __f_1(-2));


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment