V8 correctness failure in configs: x64,ignition:x64,ignition_turbo |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5097895532691456 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_turbo Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: dd2 Sanitizer: address (ASAN) Minimized Testcase (0.41 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95nQMV9qMWrFfalHoXFp5BZAJpEFMe8tH5R6xCuwKGxPawxhCViP0cfCE1b2BFsilUHFA7O6GNemdSw-gBAaGUqzLK1QaP13JjXt273ltVfBvncWdCB3O7mXNk0A7GAv32v_ZghVDSFEUu20QHUWjot_QHbZZBW0EzvQKtDMEItJAvnC5dJfGQXQH-Eg8uD-Rg0Ycn5v_72_PgSrCLZlGRGvExUlxtO1g6Gm4975XkRPVS6MoDtpOJevFFkPg0S9m7tyTLbFJrAPupjJAg9WB6sXkAbpQRyVBkh2BH-icM82u4XSXMWsp2i9oBmDrtgYPMNq4Awrn2sM-t2nOM7kdBwxZ_bJGAOx0B579wzDCj9nL7Nn1w?testcase_id=5097895532691456 __PrettyPrint = function __PrettyPrint() { switch (typeof value) { } } assertEquals = function assertEquals(expected, found) { print(found); }; var __v_3 = []; Object.freeze(__v_3); print("v8-foozzie source: /v8/test/mjsunit/compiler/escape-analysis-8.js"); function __f_6() { assertEquals(2, __v_3.length); } function __f_5() { var __v_5 = new __f_6(); } __f_5(); %OptimizeFunctionOnNextCall(__f_5); __f_5(); Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 30 2017
Benedikt agreed to take a look.
,
Jan 30 2017
,
Jan 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b91285165045358a633c794873c177982d43ad73 commit b91285165045358a633c794873c177982d43ad73 Author: bmeurer <bmeurer@chromium.org> Date: Mon Jan 30 11:15:02 2017 [turbofan] Don't constant-fold ACCESSOR properties. R=ishell@chromium.org BUG= chromium:686102 Review-Url: https://codereview.chromium.org/2662793002 Cr-Commit-Position: refs/heads/master@{#42767} [modify] https://crrev.com/b91285165045358a633c794873c177982d43ad73/src/compiler/js-native-context-specialization.cc [add] https://crrev.com/b91285165045358a633c794873c177982d43ad73/test/mjsunit/regress/regress-crbug-686102.js
,
Jan 31 2017
ClusterFuzz has detected this issue as fixed in range 42766:42767. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5097895532691456 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_turbo Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: dd2 Sanitizer: address (ASAN) Fixed: V8: 42766:42767 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95nQMV9qMWrFfalHoXFp5BZAJpEFMe8tH5R6xCuwKGxPawxhCViP0cfCE1b2BFsilUHFA7O6GNemdSw-gBAaGUqzLK1QaP13JjXt273ltVfBvncWdCB3O7mXNk0A7GAv32v_ZghVDSFEUu20QHUWjot_QHbZZBW0EzvQKtDMEItJAvnC5dJfGQXQH-Eg8uD-Rg0Ycn5v_72_PgSrCLZlGRGvExUlxtO1g6Gm4975XkRPVS6MoDtpOJevFFkPg0S9m7tyTLbFJrAPupjJAg9WB6sXkAbpQRyVBkh2BH-icM82u4XSXMWsp2i9oBmDrtgYPMNq4Awrn2sM-t2nOM7kdBwxZ_bJGAOx0B579wzDCj9nL7Nn1w?testcase_id=5097895532691456 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 31 2017
,
Jan 31 2017
Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/55c4a7018825a44e97bf0e96ef7991f3ed163b66 commit 55c4a7018825a44e97bf0e96ef7991f3ed163b66 Author: Benedikt Meurer <bmeurer@google.com> Date: Tue Jan 31 11:54:00 2017 Merged: [turbofan] Don't constant-fold ACCESSOR properties. Revision: b91285165045358a633c794873c177982d43ad73 BUG= chromium:686102 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true TBR=jarin@chromium.org Review-Url: https://codereview.chromium.org/2663193002 . Cr-Commit-Position: refs/branch-heads/5.7@{#68} Cr-Branched-From: 975e9a320b6eaf9f12280c35df98e013beb8f041-refs/heads/5.7.492@{#1} Cr-Branched-From: 8d76f0e3465a84bbf0bceab114900fbe75844e1f-refs/heads/master@{#42426} [modify] https://crrev.com/55c4a7018825a44e97bf0e96ef7991f3ed163b66/src/compiler/js-native-context-specialization.cc [add] https://crrev.com/55c4a7018825a44e97bf0e96ef7991f3ed163b66/test/mjsunit/regress/regress-crbug-686102.js
,
Jan 31 2017
Please merge your change to M57 branch 2987 ASAP (latest before 5:00 PM PT on Wednesday, 02/01/17) so we can pick it up for M57 Beta promotion release this week. Thank you.
,
Jan 31 2017
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by machenb...@chromium.org
, Jan 27 2017Status: Available (was: Untriaged)
// PTAL. Looks like TF has a problem with freezing arrays. Minimized: var a = []; Object.freeze(a); function foo() { print(a.length); } foo(); %OptimizeFunctionOnNextCall(foo); foo(); // Output: # Compared x64,ignition with x64,ignition_turbo # # Flags of x64,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1474417455 --ignition --turbo-filter=~ --hydrogen-filter=~ --novalidate-asm --nocrankshaft # Flags of x64,ignition_turbo: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1474417455 --ignition-staging --turbo --novalidate-asm # # Difference: - 0 + undefined # # Source file: none # ### Start of configuration x64,ignition: 0 0 ### End of configuration x64,ignition # ### Start of configuration x64,ignition_turbo: 0 undefined ### End of configuration x64,ignition_turbo