New issue
Advanced search Search tips

Issue 694492 link

Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 694709
Owner:
Closed: Feb 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

V8 correctness failure in configs: x64,ignition:x64,ignition_turbo

Project Member Reported by ClusterFuzz, Feb 21 2017

Issue description

Cc: jarin@chromium.org mstarzinger@chromium.org
Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)
// PTAL. Introduced here:
https://chromium.googlesource.com/v8/v8/+/fc3312255f44eefac0677a9c0267095858c7c799

// Repro:
function __f_1(primitive) {
  Object.defineProperty(primitive.__proto__, Symbol.toStringTag, {});
}
__f_1("");
__f_1(true);
__f_1("");
%OptimizeFunctionOnNextCall(__f_1);
__f_1("");

// Output:
# Compared x64,ignition with x64,ignition_turbo
#
# Flags of x64,ignition:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft
# Flags of x64,ignition_turbo:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition-staging --turbo --validate-asm
#
# Difference:
+ /usr/local/google/home/machenbach/v8/v8/repro.js:2: TypeError: Object.defineProperty called on non-object
#
# Source file:
none
#
### Start of configuration x64,ignition:

### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo:
/usr/local/google/home/machenbach/v8/v8/repro.js:2: TypeError: Object.defineProperty called on non-object
  Object.defineProperty(primitive.__proto__, Symbol.toStringTag, {});
         ^



### End of configuration x64,ignition_turbo

 Issue 694869  has been merged into this issue.
Mergedinto: 694709
Status: Duplicate (was: Assigned)
Project Member

Comment 4 by ClusterFuzz, Feb 23 2017

ClusterFuzz has detected this issue as fixed in range 43375:43376.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4881504376455168

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: d48
  
Sanitizer: address (ASAN)

Regressed: V8: 43317:43318
Fixed: V8: 43375:43376

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94VbSZYb3pMlTO884O1GdMkZqeGFyZ0Cd5Eh4X_W58B7Ds5ZqL6F6emoIQbkaXBVdg44UuBUZiohM1RUoHgKPpR4pc89hba5x521l_5vYO99Hmhs0LoWU55evozgkxSUCB0Nax3UhBJpqtL1QBl2vYTVhicgK0V7g0vHQMc9SOZ7xlNKP3D0EdnP3SZOSx4xgXCHQNZh1ht5UtMmnY_k_tXi9SZPQnNJm5gwDPytpcmSE-G7KKCP13PqtH2vyiaeL3GMDDlu3HONCLrUlhXoNeP2_W0MWnyZ2ARGYbqx7vbU8-ATG6ds1jHqmqFGSk-68j7hB35UQZx5WbKv8FhiaiEHXszyrsMyZwjXQ3aH0UwNJiPzGbA-ZjnrW1yZMCyRtp0Eufk_1xatw0jGHhe-td2IYRz3Q?testcase_id=4881504376455168


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment