V8 correctness failure in configs: x64,fullcode:x64,ignition_staging |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5642002223071232 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: f3a Sanitizer: address (ASAN) Regressed: V8: 42370:42371 Minimized Testcase (0.41 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv945BjKCmoOObBwGJfcbcQK8KcAr4fssvedB4kyfqj9f1EPpFq70qtqBnqZqhknY9iuHhFCBuXoESs2Hb-jt54fWxs8u7G7lNXFa65BC3XZ1q05rKoWKpMo1K117F7p2rTJ_yvL7EJ2q8q7gt8Blt8KTwB73DvvVatCqzz3ybkNEOQxSPjaI-fYMOdPo9WymCeOArhd9-V0qkCn3F2NVPkiRDajfZtiwXoP_TTO77aNh2wyv_97GDklsCWRgNiiPSKHfMUZj0cHUE5dit-us05p1mnZYCHAUP9pd4uDv6db_nPNBSZKQlplOwqpugligMHcps0FwRApVDm5SceciGsW_W7tMPm_-4PAfom8lfxGAsMODhPE?testcase_id=5642002223071232 __PrettyPrint = function __PrettyPrint(value) { switch (typeof value) { case "number": if (1 / value < 0) return "-0"; return objectClass + "()"; } } var __v_2 = -1073741825; print("v8-foozzie source: /v8/test/mjsunit/regress/regress-crbug-625547.js"); __v_2 = 0; var __v_4 = {z:-0.0}.z; function __f_2() { __v_2 = __v_4; }; %OptimizeFunctionOnNextCall(__f_2); __f_2(); __PrettyPrint(__v_2); Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 25 2017
Probably a dupe of issue 682877 .
,
Jan 26 2017
,
Mar 8 2017
ClusterFuzz has detected this issue as fixed in range 43662:43663. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5642002223071232 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_staging Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,fullcode:x64,ignition_staging sources: f3a Sanitizer: address (ASAN) Regressed: V8: 42370:42371 Fixed: V8: 43662:43663 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv945BjKCmoOObBwGJfcbcQK8KcAr4fssvedB4kyfqj9f1EPpFq70qtqBnqZqhknY9iuHhFCBuXoESs2Hb-jt54fWxs8u7G7lNXFa65BC3XZ1q05rKoWKpMo1K117F7p2rTJ_yvL7EJ2q8q7gt8Blt8KTwB73DvvVatCqzz3ybkNEOQxSPjaI-fYMOdPo9WymCeOArhd9-V0qkCn3F2NVPkiRDajfZtiwXoP_TTO77aNh2wyv_97GDklsCWRgNiiPSKHfMUZj0cHUE5dit-us05p1mnZYCHAUP9pd4uDv6db_nPNBSZKQlplOwqpugligMHcps0FwRApVDm5SceciGsW_W7tMPm_-4PAfom8lfxGAsMODhPE?testcase_id=5642002223071232 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 8 2017
ClusterFuzz testcase 5642002223071232 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 8 2017
,
Mar 10 2017
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by machenb...@chromium.org
, Jan 25 2017Status: Available (was: Untriaged)
// PTAL. Repros also with ignition/ignition_staging, but not with ignition_turbo, so crankshaft? var v = -1; v = 0; function foo() { v = -0; }; %OptimizeFunctionOnNextCall(foo); foo(); print(1 / v) // Output: # Compared x64,ignition with x64,ignition_staging # # Flags of x64,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 123 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft # Flags of x64,ignition_staging: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 123 --ignition-staging --validate-asm # # Difference: - -Infinity + Infinity # # Source file: none # ### Start of configuration x64,ignition: -Infinity ### End of configuration x64,ignition # ### Start of configuration x64,ignition_staging: Infinity ### End of configuration x64,ignition_staging