New issue
Advanced search Search tips

Issue 683686 link

Starred by 1 user
Status: Verified
Owner: ----
Closed: Jan 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

V8 correctness failure in configs: x64,ignition:x64,ignition_turbo

Project Member Reported by ClusterFuzz, Jan 22 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5646639881781248

Fuzzer: foozzie_js_mutation
Job Type: foozzie_ignition_turbo
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: cdc
  
Sanitizer: address (ASAN)

Minimized Testcase (0.51 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94CLOhePlV_C1_TCW6dEm023EK-biN-Tw87OuLKiII5n2grKkUSKcEfqrPhi75TzELMryyt9J6JuL5rePTTYeFk_dgMabnenDdFHtqA1RkNu6imTNDGREVkMVw_BSE6lrIST86uRGLIHpu0DN2fV5CjUxAeKOiIgUVEr5J7l53Qj8qR5L_mCFQa8aUsvXaXYOmY6RB1EBnWCmFW0ReXpmkyVMROVCOymUSS-TAM5iP8orK3hjIp-OtQl1HuPFMiujf1KVm0jFSB1v0ZNlDzcDlJsX6bjoBYGfkOwZx2abxQuYNU1-9FjS5Qkknb7CUJUT_b_pbVVpt5dMxrCQKrxBJNL0YzA7o_pXAVua2dLWQxh8Mjp8k?testcase_id=5646639881781248
__PrettyPrint = function __PrettyPrint() {
  switch (typeof value) {
    case "number":
  }
}
assertEquals = function assertEquals(expected, found, name_opt) { print(found); };
var __v_7 = {};
print("v8-foozzie source: /v8/test/mjsunit/regress/regress-undefined-nan.js");
var __v_10 = new Float64Array();
var __v_12 = new Float64Array(1);
function __f_7() { __v_12[0] = __v_10[0]; }
__f_7();
__f_7();
%OptimizeFunctionOnNextCall(__f_7);
__f_7();
__v_9 = new Int32Array(__v_12.buffer);
assertEquals(__v_7[0], __v_9[0]);


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 1 by ClusterFuzz, Jan 24 2017 

ClusterFuzz has detected this issue as fixed in range 42625:42626.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5646639881781248

Fuzzer: foozzie_js_mutation
Job Type: foozzie_ignition_turbo
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: cdc
  
Sanitizer: address (ASAN)

Fixed: V8: 42625:42626

Minimized Testcase (0.51 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94CLOhePlV_C1_TCW6dEm023EK-biN-Tw87OuLKiII5n2grKkUSKcEfqrPhi75TzELMryyt9J6JuL5rePTTYeFk_dgMabnenDdFHtqA1RkNu6imTNDGREVkMVw_BSE6lrIST86uRGLIHpu0DN2fV5CjUxAeKOiIgUVEr5J7l53Qj8qR5L_mCFQa8aUsvXaXYOmY6RB1EBnWCmFW0ReXpmkyVMROVCOymUSS-TAM5iP8orK3hjIp-OtQl1HuPFMiujf1KVm0jFSB1v0ZNlDzcDlJsX6bjoBYGfkOwZx2abxQuYNU1-9FjS5Qkknb7CUJUT_b_pbVVpt5dMxrCQKrxBJNL0YzA7o_pXAVua2dLWQxh8Mjp8k?testcase_id=5646639881781248
__PrettyPrint = function __PrettyPrint() {
  switch (typeof value) {
    case "number":
  }
}
assertEquals = function assertEquals(expected, found, name_opt) { print(found); };
var __v_7 = {};
print("v8-foozzie source: /v8/test/mjsunit/regress/regress-undefined-nan.js");
var __v_10 = new Float64Array();
var __v_12 = new Float64Array(1);
function __f_7() { __v_12[0] = __v_10[0]; }
__f_7();
__f_7();
%OptimizeFunctionOnNextCall(__f_7);
__f_7();
__v_9 = new Int32Array(__v_12.buffer);
assertEquals(__v_7[0], __v_9[0]);


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 2 by ClusterFuzz, Jan 24 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Untriaged)
ClusterFuzz testcase 5646639881781248 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment