Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4778098391515136 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo_opt sources: c8c Sanitizer: address (ASAN) Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97-Gd5e3WnPK5ntdfC9i6OTteR0G-fDygtKfNwmAHfcURiDrK5GRtu1L59WEeAiv0P0lACQVZ5hxmyXAhUCdtAUG4jMVvXsFp7SNPgKI81rQYtF3P68FOXpuGrxY_4NLWxkvd8JGAPEirH_3V6LEXU6d2GHKxX_csOS811qZlbe9lMETy-nb_NmHke2U62i-H3aJMKLgtn8ImhrhOcqBK32KbxDW_wJn6ipuzxOcyOt4rLrvD1t74YaNz5ip8qrQxJwGDhKC5ly6sFH9orLLhH0IXJO5zM3u-zuICKaJTHGaDYGKwg4v5hUUaI2Gu1RAdm5rIaCjAE9a0c-Of3yTS1_IuukqwCtrxKfKhjJnJ5fzoObgO8?testcase_id=4778098391515136 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
This is a TF bug, I have a hunch what is going on.
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/09a07038f25aec0817a75cbbb226f57e6e5dd6d2 commit 09a07038f25aec0817a75cbbb226f57e6e5dd6d2 Author: Michael Starzinger <mstarzinger@chromium.org> Date: Tue Feb 28 12:47:37 2017 [turbofan] Fix lowering of %_GetSuperConstructor intrinsic. The above intrinsic by now has to perform a check whether the prototype of a derived constructor is actually a constructor function itself. This is done as part of the {JSGetConstructorCall} operator. The intrinsic should just reduce down to the operator to maintain correct semantics. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-696622 BUG= chromium:696622 Change-Id: Ia19c188f17ad16b12248db1f01a01b8d7258499b Reviewed-on: https://chromium-review.googlesource.com/447716 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#43479} [modify] https://crrev.com/09a07038f25aec0817a75cbbb226f57e6e5dd6d2/src/compiler/js-intrinsic-lowering.cc [modify] https://crrev.com/09a07038f25aec0817a75cbbb226f57e6e5dd6d2/src/interpreter/bytecode-decoder.cc [add] https://crrev.com/09a07038f25aec0817a75cbbb226f57e6e5dd6d2/test/mjsunit/regress/regress-crbug-696622.js
ClusterFuzz has detected this issue as fixed in range 43478:43479. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4778098391515136 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo_opt sources: c8c Sanitizer: address (ASAN) Fixed: V8: 43478:43479 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97-Gd5e3WnPK5ntdfC9i6OTteR0G-fDygtKfNwmAHfcURiDrK5GRtu1L59WEeAiv0P0lACQVZ5hxmyXAhUCdtAUG4jMVvXsFp7SNPgKI81rQYtF3P68FOXpuGrxY_4NLWxkvd8JGAPEirH_3V6LEXU6d2GHKxX_csOS811qZlbe9lMETy-nb_NmHke2U62i-H3aJMKLgtn8ImhrhOcqBK32KbxDW_wJn6ipuzxOcyOt4rLrvD1t74YaNz5ip8qrQxJwGDhKC5ly6sFH9orLLhH0IXJO5zM3u-zuICKaJTHGaDYGKwg4v5hUUaI2Gu1RAdm5rIaCjAE9a0c-Of3yTS1_IuukqwCtrxKfKhjJnJ5fzoObgO8?testcase_id=4778098391515136 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by mstarzinger@chromium.org
, Feb 28 2017Components: -Blink>JavaScript Blink>JavaScript>Compiler
Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)