New issue
Advanced search Search tips

Issue 696622 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

V8 correctness failure in configs: x64,ignition:x64,ignition_turbo_opt

Project Member Reported by ClusterFuzz, Feb 27 2017

Issue description

Cc: bmeu...@chromium.org jarin@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>Compiler
Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)
This is a TF bug, I have a hunch what is going on.
Project Member

Comment 2 by bugdroid1@chromium.org, Feb 28 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/09a07038f25aec0817a75cbbb226f57e6e5dd6d2

commit 09a07038f25aec0817a75cbbb226f57e6e5dd6d2
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Tue Feb 28 12:47:37 2017

[turbofan] Fix lowering of %_GetSuperConstructor intrinsic.

The above intrinsic by now has to perform a check whether the prototype
of a derived constructor is actually a constructor function itself. This
is done as part of the {JSGetConstructorCall} operator. The intrinsic
should just reduce down to the operator to maintain correct semantics.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-696622
BUG= chromium:696622 

Change-Id: Ia19c188f17ad16b12248db1f01a01b8d7258499b
Reviewed-on: https://chromium-review.googlesource.com/447716
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43479}
[modify] https://crrev.com/09a07038f25aec0817a75cbbb226f57e6e5dd6d2/src/compiler/js-intrinsic-lowering.cc
[modify] https://crrev.com/09a07038f25aec0817a75cbbb226f57e6e5dd6d2/src/interpreter/bytecode-decoder.cc
[add] https://crrev.com/09a07038f25aec0817a75cbbb226f57e6e5dd6d2/test/mjsunit/regress/regress-crbug-696622.js

Status: Fixed (was: Assigned)
Project Member

Comment 4 by ClusterFuzz, Mar 1 2017

ClusterFuzz has detected this issue as fixed in range 43478:43479.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4778098391515136

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo_opt
  sources: c8c
  
Sanitizer: address (ASAN)

Fixed: V8: 43478:43479

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97-Gd5e3WnPK5ntdfC9i6OTteR0G-fDygtKfNwmAHfcURiDrK5GRtu1L59WEeAiv0P0lACQVZ5hxmyXAhUCdtAUG4jMVvXsFp7SNPgKI81rQYtF3P68FOXpuGrxY_4NLWxkvd8JGAPEirH_3V6LEXU6d2GHKxX_csOS811qZlbe9lMETy-nb_NmHke2U62i-H3aJMKLgtn8ImhrhOcqBK32KbxDW_wJn6ipuzxOcyOt4rLrvD1t74YaNz5ip8qrQxJwGDhKC5ly6sFH9orLLhH0IXJO5zM3u-zuICKaJTHGaDYGKwg4v5hUUaI2Gu1RAdm5rIaCjAE9a0c-Of3yTS1_IuukqwCtrxKfKhjJnJ5fzoObgO8?testcase_id=4778098391515136


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment