Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4881504376455168 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: d48 Sanitizer: address (ASAN) Regressed: V8: 43317:43318 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94VbSZYb3pMlTO884O1GdMkZqeGFyZ0Cd5Eh4X_W58B7Ds5ZqL6F6emoIQbkaXBVdg44UuBUZiohM1RUoHgKPpR4pc89hba5x521l_5vYO99Hmhs0LoWU55evozgkxSUCB0Nax3UhBJpqtL1QBl2vYTVhicgK0V7g0vHQMc9SOZ7xlNKP3D0EdnP3SZOSx4xgXCHQNZh1ht5UtMmnY_k_tXi9SZPQnNJm5gwDPytpcmSE-G7KKCP13PqtH2vyiaeL3GMDDlu3HONCLrUlhXoNeP2_W0MWnyZ2ARGYbqx7vbU8-ATG6ds1jHqmqFGSk-68j7hB35UQZx5WbKv8FhiaiEHXszyrsMyZwjXQ3aH0UwNJiPzGbA-ZjnrW1yZMCyRtp0Eufk_1xatw0jGHhe-td2IYRz3Q?testcase_id=4881504376455168 Issue manually filed by: machenbach See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
// PTAL. Introduced here: https://chromium.googlesource.com/v8/v8/+/fc3312255f44eefac0677a9c0267095858c7c799 // Repro: function __f_1(primitive) { Object.defineProperty(primitive.__proto__, Symbol.toStringTag, {}); } __f_1(""); __f_1(true); __f_1(""); %OptimizeFunctionOnNextCall(__f_1); __f_1(""); // Output: # Compared x64,ignition with x64,ignition_turbo # # Flags of x64,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft # Flags of x64,ignition_turbo: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition-staging --turbo --validate-asm # # Difference: + /usr/local/google/home/machenbach/v8/v8/repro.js:2: TypeError: Object.defineProperty called on non-object # # Source file: none # ### Start of configuration x64,ignition: ### End of configuration x64,ignition # ### Start of configuration x64,ignition_turbo: /usr/local/google/home/machenbach/v8/v8/repro.js:2: TypeError: Object.defineProperty called on non-object Object.defineProperty(primitive.__proto__, Symbol.toStringTag, {}); ^ ### End of configuration x64,ignition_turbo
Issue 694869 has been merged into this issue.
ClusterFuzz has detected this issue as fixed in range 43375:43376. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4881504376455168 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: d48 Sanitizer: address (ASAN) Regressed: V8: 43317:43318 Fixed: V8: 43375:43376 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94VbSZYb3pMlTO884O1GdMkZqeGFyZ0Cd5Eh4X_W58B7Ds5ZqL6F6emoIQbkaXBVdg44UuBUZiohM1RUoHgKPpR4pc89hba5x521l_5vYO99Hmhs0LoWU55evozgkxSUCB0Nax3UhBJpqtL1QBl2vYTVhicgK0V7g0vHQMc9SOZ7xlNKP3D0EdnP3SZOSx4xgXCHQNZh1ht5UtMmnY_k_tXi9SZPQnNJm5gwDPytpcmSE-G7KKCP13PqtH2vyiaeL3GMDDlu3HONCLrUlhXoNeP2_W0MWnyZ2ARGYbqx7vbU8-ATG6ds1jHqmqFGSk-68j7hB35UQZx5WbKv8FhiaiEHXszyrsMyZwjXQ3aH0UwNJiPzGbA-ZjnrW1yZMCyRtp0Eufk_1xatw0jGHhe-td2IYRz3Q?testcase_id=4881504376455168 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by machenb...@chromium.org
, Feb 21 2017Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)