Issue metadata
Sign in to add a comment
|
V8 correctness failure in configs: x64,ignition:x64,ignition_turbo |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5923777847492608 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_turbo Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: f45 Sanitizer: address (ASAN) Regressed: V8: 42804:42805 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95dpPwg3dVlX-gVFLpNCmwYMo6tfHXYKYALQW75N2f7Ho8-zpElLBhFdGIU-vHfIl_Eg05LYzEx8_HzWM9rEhn2_ebRNmtqp0J3FcwA7gCWosZ4D8CgmmleJFsQ68sLPCedOCxQB2QIZ2hTx1dpFjGPKCAUG5MrRgcSnYoI61pw6abHh8OR981eK5K78SboGHyGGY8CmvovYzxFH7H7CAUtDQhmsP9Ba-b9wdd1gf5FlgDYxSfsV-c4lC9rUhAl6RBTj7Gviae9gERr2yC9aaJaJP9IogsduiiF1yaONf1XyJPBhwrxkG2zGFaqxLBHVJ8MHmJUNi1nYE5wYlxDQa2FUGkeWakjSZEiiFBFCMTX6Ha9NKM?testcase_id=5923777847492608 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Feb 1 2017
Sorry, can't get the repro any smaller. Very sensitive to any line I try to change. IMO the ignition baseline looks wrong, and the turbofan case looks alright, though.
,
Feb 1 2017
PTAL Ross. It looks like the turbofan case is correct here. When run in d8, it only repros if all js files are passed (I assume it needs certain properties in the global object). Put the minimized repro into repro.js and run from V8 root folder with an x64 release build: out.gn/x64.release/d8 --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft tools/foozzie/v8_mock.js tools/foozzie/v8_suppressions.js ./repro.js -> the last print statement doesn't get executed.
,
Feb 7 2017
ClusterFuzz has detected this issue as fixed in range 42965:42966. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5923777847492608 Fuzzer: foozzie_js_mutation Job Type: foozzie_ignition_turbo Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: f45 Sanitizer: address (ASAN) Regressed: V8: 42804:42805 Fixed: V8: 42965:42966 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95dpPwg3dVlX-gVFLpNCmwYMo6tfHXYKYALQW75N2f7Ho8-zpElLBhFdGIU-vHfIl_Eg05LYzEx8_HzWM9rEhn2_ebRNmtqp0J3FcwA7gCWosZ4D8CgmmleJFsQ68sLPCedOCxQB2QIZ2hTx1dpFjGPKCAUG5MrRgcSnYoI61pw6abHh8OR981eK5K78SboGHyGGY8CmvovYzxFH7H7CAUtDQhmsP9Ba-b9wdd1gf5FlgDYxSfsV-c4lC9rUhAl6RBTj7Gviae9gERr2yC9aaJaJP9IogsduiiF1yaONf1XyJPBhwrxkG2zGFaqxLBHVJ8MHmJUNi1nYE5wYlxDQa2FUGkeWakjSZEiiFBFCMTX6Ha9NKM?testcase_id=5923777847492608 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 7 2017
ClusterFuzz testcase 5923777847492608 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 7 2017
This was very likely wrongly closed as one of the mock files changed the global object in the mean time.
,
Feb 21 2017
I invested a bit time to get a better repro of this on ToT. I take back that it might be ignition's fault. Looking closer, the turbofan variant might be wrong. Here are pure d8 repros:
// Program repro.js:
var v = {};
var other = {};
function foo(thing) {
var s = v[thing];
v.__defineGetter__("print", function() { return s; });
}
foo("other");
v = this;
foo("printErr");
%OptimizeFunctionOnNextCall(foo);
foo("other");
print();
// Output with ignition:
d8 --allow-natives-syntax --random-seed 1234 --ignition --turbo-filter=~ --hydrogen-filter=~ --nocrankshaft repro.js
/usr/local/google/home/machenbach/v8/v8/repro.js:17: TypeError: print is not a function
print();
^
TypeError: print is not a function
// End of output
// Output with ignition_turbo:
d8 --allow-natives-syntax --random-seed 1234 --ignition-staging --turbo --validate-asm repro.js
// End of output
,
Feb 21 2017
This seems to work with all kinds of properties of the global object like so:
var v = {};
var other = {};
function foo(thing) {
var s = v[thing];
v.__defineGetter__("Worker", function() { return s; });
}
foo("other");
v = this;
foo("print");
%OptimizeFunctionOnNextCall(foo);
foo("other");
Worker();
,
Feb 21 2017
Most likely a dupe of issue 694416 .
,
Feb 21 2017
,
Feb 21 2017
Confirmed it was a dupe. Now fixed after fix of issue 694416 was in.
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by machenb...@chromium.org
, Feb 1 2017Status: Assigned (was: Untriaged)