V8 correctness failure in configs: x64,fullcode:x64,ignition_staging |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4518260839284736 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: 9b4 Sanitizer: address (ASAN) Regressed: V8: 42370:42371 Minimized Testcase (11.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv968EE1_zmVv2mLoIaAydqpCT6USB_On3x4GEbzc0L5d6Tx7c_hOvmB3ZHx3afzwiNO8e8EDfUtYQUnsx5EYdnYpAjYUEC77bwAmxnj_4WgjEJeQ1VhUnnsQ1aqUtX2IrIvRpJpBtrwwTK2hiGXs_TPQnn_np-DiWHe-XdN_40Ifi2BW3Wd_X1TNmnU3AH30jjm102Q4SIDJvMI7aVpNHtSLuyOpPmTYrnelApp4BlcsPzqPLxHYpe59WcWqilXWhx2hcrpP7LwqgTw0g_w9EPzto2pI08Ul6aXjQa_37hWLxofv9IhPoxebMrUp_MhYMuejYPiq-QJRUrer0GZSgFsHxNaLxJWaovsAvM5hXry0M1y3jM0?testcase_id=4518260839284736 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 25 2017
This is a Crankshaft issue.
,
Mar 9 2017
ClusterFuzz has detected this issue as fixed in range 43683:43684. Detailed report: https://clusterfuzz.com/testcase?key=4518260839284736 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: 9b4 Sanitizer: address (ASAN) Regressed: V8: 42370:42371 Fixed: V8: 43683:43684 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv968EE1_zmVv2mLoIaAydqpCT6USB_On3x4GEbzc0L5d6Tx7c_hOvmB3ZHx3afzwiNO8e8EDfUtYQUnsx5EYdnYpAjYUEC77bwAmxnj_4WgjEJeQ1VhUnnsQ1aqUtX2IrIvRpJpBtrwwTK2hiGXs_TPQnn_np-DiWHe-XdN_40Ifi2BW3Wd_X1TNmnU3AH30jjm102Q4SIDJvMI7aVpNHtSLuyOpPmTYrnelApp4BlcsPzqPLxHYpe59WcWqilXWhx2hcrpP7LwqgTw0g_w9EPzto2pI08Ul6aXjQa_37hWLxofv9IhPoxebMrUp_MhYMuejYPiq-QJRUrer0GZSgFsHxNaLxJWaovsAvM5hXry0M1y3jM0?testcase_id=4518260839284736 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 9 2017
ClusterFuzz testcase 4518260839284736 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 9 2017
,
Mar 10 2017
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by machenb...@chromium.org
, Jan 24 2017Status: Available (was: Untriaged)
// PTAL. Also repros in fullcode/default. Crunched it down to: var count = 0; function __f_8() { var __v_0 = []; __v_0.__defineSetter__(1, function() { this[0] = __f_8(); gc(); }); count++; return __v_0; } function __f_1() { var v = __f_8(); v.p = 0; return v; } function __f_0(array) { array[1] = 0; } function __f_7() { __f_0(__f_8()); __f_0(__f_1()); } __f_7(); %OptimizeFunctionOnNextCall(__f_7); __f_7(); print(count); // Output: # Compared x64,fullcode with x64,default # # Flags of x64,fullcode: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 123 --nocrankshaft --turbo-filter=~ --validate-asm # Flags of x64,default: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 123 --validate-asm # # Difference: - 8 + 9 # # Source file: none # ### Start of configuration x64,fullcode: 8 ### End of configuration x64,fullcode # ### Start of configuration x64,default: 9 ### End of configuration x64,default