This suggests to me that something is wrong with the negation implications. Ross could you please take a look?

Looking for a smaller repro. Also looks on ToT it's fixed again... though I wonder why it bisects back to the flag implication change.

// Looks like there's different whitespace before the error carret between ignition and ignition_turbo. The main problem remains, why was it triggered by Ross' CL?

// Repro:
v = "var ";
for (var index = 750; index < 800; index++) {
  v += [("_" + index), "=", ("_" + index), ","].join("");
}
v += "x=1; return _0;"
new Function(v)();

ClusterFuzz has detected this issue as fixed in range 43683:43684.

Detailed report: https://clusterfuzz.com/testcase?key=5438944172048384

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: 1d1
  
Sanitizer: address (ASAN)

Regressed: V8: 43654:43655
Fixed: V8: 43683:43684

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96sVsLu9GXoEVVl0OCLIhf585PD4yRC15Iul_bT8zp6vGohcv6YlkQNoA579Od5_VCAFdtk_Gb8iLHxdXmb93j7aXyFgEZz_xt5O-xTvcT6H5eY3qV1Cyo4EGzXtdECnsjFYuu9T8JMeSVD0oAPCfMiFA1a0Chc1vZC4VchdXDXgelaz-6UEdYoHqt5Vf8N3p-PWP2QvsYnyb2l-G-i6_Eov532bLcEQ-Um6s5zdwr9vsoyF3PRtVnghWbJdSO9Hujg0Q024KTKHxJ5MPBBA2Yy_QzkOojaX5YdKeNGWB86ybrqkXs6Maf5V_NSz3f_lFrZK85X9gnKRMhNA16CIgC2NbTM9eD8jN-zL1rd1aMh3Uih5wE?testcase_id=5438944172048384


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

I think my flag negation change might have made the --no-crankshaft ineffective when paired with --turbo (Mythri noticed this yesterday). There was an implication between turbo and crankshaft which I'd didn't notice. I'll take a look today.

Would it also be useful to add an explicit --no-turbo to the ignition baseline? https://chromium-review.googlesource.com/c/452480/ - so far we only use the filter.

Had a small discussion with Michi, will send around a doc soon.

Michi and I both discussed the same plan we had to remove the turbo->crankshaft implication - this was bogus and meant no-crankshaft wouldn't work with turbo enabled. Michi has a CL, hopefully this will fix it otherwise I'll have another look.

As for the problem in this CL, as analyzed in the doc, I think because turbo was off, the negation CL implied ignition switched off too. Switching it on explicitly had no effect so we essentially got fullcode here.

Error caret differences between fullcode and ignition are known, so I think the clusterfuzz bug here is wontfix.

With "this CL" above I meant "this issue"

ClusterFuzz testcase 5438944172048384 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Inventing a new label v8-foozzie-legacy for real issues in the old pipeline we won't fix anymore.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.