V8 correctness failure in configs: x64,fullcode:x64,ignition_staging |
|
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4926291053903872 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: 5fc Sanitizer: address (ASAN) Regressed: V8: r42378:42379 Minimized Testcase (0.64 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94hnjRLAecPOEihceg1FYbkr1tzCvwCY8WXnPyyZElvWW6gchl4ACYw6S2zvv8E6rZVBPtvFGIENHEGrr0Xn4F9LVdmEg1Rk76-aPPyeAuFE-1WKk28QIAolVhpR-J7f4hjmosVELdjOWk2rzSWOWykFlGzljP_x111sOej9YAiN053xuEeRBihtmXGdb0H24FyXP9yj8KISim-16JgxTfP8tz1JJeu1btpA1Tf1pTPRMuFcgOkvTUHk0o7-lL0HfLicUMgOvf_BRI3nFCT2QnrlriOsMPVbuIemuCBckgqa8jeHY8v8PmxmsYamw0C53D8fuobLbvvKMoPK6s5yQhzo8lgQIcP7nAH91m3KKf7P5FzCco?testcase_id=4926291053903872 function classOf(object) { var string = Object.prototype.toString.call(object); return string.substring(8, string.length - 1); } __max_depth = 3 __PrettyPrint = function __PrettyPrint(value, depth=__max_depth) { switch (typeof value) { case "object": var objectClass = classOf(value); switch (objectClass) { case "Number": default: return objectClass + "()"; } } } var __v_0 = 2147483648; print("v8-foozzie source: /v8/test/mjsunit/compiler/integral32-add-sub.js"); (function() { __v_1 = __f_1(); })(); try { print(__PrettyPrint(__v_1)); } catch(e) {; } function __f_1() { "use asm"; return {}; } Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 18 2017
ClusterFuzz has detected this issue as fixed in range 42461:42462. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4926291053903872 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: 5fc Sanitizer: address (ASAN) Regressed: V8: r42378:42379 Fixed: V8: r42461:42462 Minimized Testcase (0.64 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94hnjRLAecPOEihceg1FYbkr1tzCvwCY8WXnPyyZElvWW6gchl4ACYw6S2zvv8E6rZVBPtvFGIENHEGrr0Xn4F9LVdmEg1Rk76-aPPyeAuFE-1WKk28QIAolVhpR-J7f4hjmosVELdjOWk2rzSWOWykFlGzljP_x111sOej9YAiN053xuEeRBihtmXGdb0H24FyXP9yj8KISim-16JgxTfP8tz1JJeu1btpA1Tf1pTPRMuFcgOkvTUHk0o7-lL0HfLicUMgOvf_BRI3nFCT2QnrlriOsMPVbuIemuCBckgqa8jeHY8v8PmxmsYamw0C53D8fuobLbvvKMoPK6s5yQhzo8lgQIcP7nAH91m3KKf7P5FzCco?testcase_id=4926291053903872 function classOf(object) { var string = Object.prototype.toString.call(object); return string.substring(8, string.length - 1); } __max_depth = 3 __PrettyPrint = function __PrettyPrint(value, depth=__max_depth) { switch (typeof value) { case "object": var objectClass = classOf(value); switch (objectClass) { case "Number": default: return objectClass + "()"; } } } var __v_0 = 2147483648; print("v8-foozzie source: /v8/test/mjsunit/compiler/integral32-add-sub.js"); (function() { __v_1 = __f_1(); })(); try { print(__PrettyPrint(__v_1)); } catch(e) {; } function __f_1() { "use asm"; return {}; } See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|
►
Sign in to add a comment |
|
Comment 1 by machenb...@chromium.org
, Jan 18 2017