PTAL

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6190711541334016

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_eager
  sources: 434
  
Sanitizer: address (ASAN)

Regressed: V8: 43144:43145

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96jELT6wwRn9MqC0SjjIZSXEh-8k4gAJA0P_AuYWHOA-aIvUWM5-XQZlfxTWVULsU30XxQDCs9-fOH3bfast_xLyCthGV7ZzDh_9VVK_5vd4yTaEOFR7a-V-AtwC28aV4pTGNepled3tmIXHslWPmsQ7A8WQw_JKmcitOnWpFBStw9n8Fv72TBDNWC-d_xn13c3Ob6We3Pyc5HwvHylwyzWq6jiU1gI5BLVONYNbQ5XN3bhqEYtdi8eibPBqrf8rV7OKQsZG8TDG3N63nMkjPGOiNYgD-gmEZ1Cb1iJoAf5um5ZKKP4rgfHw4jaoGTCWoESgR7fvFsPpIkzyurgGH_Mf8wfzI6Zs8D-7_36_E0N9ROz0iZWCWfWn1vV4sqpmtXJShBbhB6JhMVi2bxc5wVkngFHpQ?testcase_id=6190711541334016


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

 Issue 692730  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ddeb6e1d5952b76b9a65657b5a4057fde70f9142

commit ddeb6e1d5952b76b9a65657b5a4057fde70f9142
Author: Michael Achenbach <machenbach@chromium.org>
Date: Fri Mar 03 10:04:30 2017

[foozzie] Blacklist some files for ignition_eager

BUG=chromium:691589,chromium:691587
NOTRY=true
TBR=marja@chromium.org

Change-Id: I769af6472caa38f0a5d383cb8d5e30540f7c988a
Reviewed-on: https://chromium-review.googlesource.com/449713
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43575}
[modify] https://crrev.com/ddeb6e1d5952b76b9a65657b5a4057fde70f9142/tools/foozzie/v8_suppressions.py

ClusterFuzz has detected this issue as fixed in range 43574:43575.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5761849930022912

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_eager
  sources: ad4
  
Sanitizer: address (ASAN)

Regressed: V8: 43144:43145
Fixed: V8: 43574:43575

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95tPY27hfl0zxbMF6aQX8Ywq-2Xj0qC-3rNOgAJ8Mp5VxbFNOEMk8xcz-QCi4Zba73o7tT7oMOybj-EsTJb10xlX227Tyqywu1vBai_8Tenr3l9KgkUrIrow8XDS12HshFIy2vfLom2KUdwYhTnoSmNvMBlhQ6t0jfPEl7wjK0XdznxbOFA5qg4pTPr6rDxhm8QMk4ypI5OCLuYyqHGZBFI6ykUpN-OAWo6vpBtrIP48Gz0Hyd_d6hXVIpWZyeOV2tu29iUZvQcCn1HOhV02UK1wHJXL16Q4T749Qp4jVWfQ5ZBxH6KFzB7A2X3sS7U3t5w2lt-Gf137GW_ZdlnWWi2Nmif3AhPTF8srqnMHHXbwS76M1dnVhb908saSknjT5punOE6RAy5EFCTa843VTlMlocP1Q?testcase_id=5761849930022912


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 45316:45317.

Detailed report: https://clusterfuzz.com/testcase?key=6190711541334016

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_eager
  sources: 434
  
Sanitizer: address (ASAN)

Regressed: V8: 43144:43145
Fixed: V8: 45316:45317

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6190711541334016


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4975243514085376 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 727236  has been merged into this issue.

 Issue 728291  has been merged into this issue.

 Issue 728755  has been merged into this issue.

 Issue 734036  has been merged into this issue.

 Issue 735356  has been merged into this issue.

 Issue 736406  has been merged into this issue.

 Issue 737958  has been merged into this issue.

 Issue 738622  has been merged into this issue.

 Issue 743857  has been merged into this issue.

 Issue 745337  has been merged into this issue.

 Issue 755206  has been merged into this issue.

 Issue 755320  has been merged into this issue.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

 Issue 773594  has been merged into this issue.

 Issue 773672  has been merged into this issue.

 Issue 774878  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 48714:48715.

Detailed report: https://clusterfuzz.com/testcase?key=6190711541334016

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_eager
  sources: 434
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=43144:43145
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=48714:48715

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6190711541334016

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 778910  has been merged into this issue.

 Issue 784921  has been merged into this issue.

 Issue 788307  has been merged into this issue.

 Issue 794915  has been merged into this issue.

 Issue 795742  has been merged into this issue.

The issue are those two lines:

function getRandomProperty(v, rand) { var properties = Object.getOwnPropertyNames(v); print(properties); var proto = Object.getPrototypeOf(v); if (proto) { properties = properties.concat(proto); } if ("constructor") {; } if (properties.length == 0) { return "0"; } return properties[rand % properties.length]; }


eval("function Crash() { assertUnreachable(); continue;if (Crash) {  } }");


The first line collects all global properties.

The second line defines a function Crash, which contains a syntax error ("continue"). With eager parsing, we run into the syntax error and do not define the function at all. With lazy parsing, we do not run into the syntax error and define the function, which is never really called, but affects the number of global properties.

Question is, should "continue" outside of a loop be an early error?

Indeed, continue outside a loop is an early error, but V8 doesn't know that. See at least https://bugs.chromium.org/p/v8/issues/detail?id=5663.

Removing v8-foozzie-failure label, because eager-lazy testing has been removed from correctness-fuzzer experiments.