V8 correctness failure in configs: x64,ignition:x64,ignition_turbo |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5438944172048384 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: 1d1 Sanitizer: address (ASAN) Regressed: V8: 43654:43655 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96sVsLu9GXoEVVl0OCLIhf585PD4yRC15Iul_bT8zp6vGohcv6YlkQNoA579Od5_VCAFdtk_Gb8iLHxdXmb93j7aXyFgEZz_xt5O-xTvcT6H5eY3qV1Cyo4EGzXtdECnsjFYuu9T8JMeSVD0oAPCfMiFA1a0Chc1vZC4VchdXDXgelaz-6UEdYoHqt5Vf8N3p-PWP2QvsYnyb2l-G-i6_Eov532bLcEQ-Um6s5zdwr9vsoyF3PRtVnghWbJdSO9Hujg0Q024KTKHxJ5MPBBA2Yy_QzkOojaX5YdKeNGWB86ybrqkXs6Maf5V_NSz3f_lFrZK85X9gnKRMhNA16CIgC2NbTM9eD8jN-zL1rd1aMh3Uih5wE?testcase_id=5438944172048384 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 9 2017
Looking for a smaller repro. Also looks on ToT it's fixed again... though I wonder why it bisects back to the flag implication change.
,
Mar 9 2017
// Looks like there's different whitespace before the error carret between ignition and ignition_turbo. The main problem remains, why was it triggered by Ross' CL?
// Repro:
v = "var ";
for (var index = 750; index < 800; index++) {
v += [("_" + index), "=", ("_" + index), ","].join("");
}
v += "x=1; return _0;"
new Function(v)();
,
Mar 9 2017
,
Mar 10 2017
ClusterFuzz has detected this issue as fixed in range 43683:43684. Detailed report: https://clusterfuzz.com/testcase?key=5438944172048384 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: 1d1 Sanitizer: address (ASAN) Regressed: V8: 43654:43655 Fixed: V8: 43683:43684 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96sVsLu9GXoEVVl0OCLIhf585PD4yRC15Iul_bT8zp6vGohcv6YlkQNoA579Od5_VCAFdtk_Gb8iLHxdXmb93j7aXyFgEZz_xt5O-xTvcT6H5eY3qV1Cyo4EGzXtdECnsjFYuu9T8JMeSVD0oAPCfMiFA1a0Chc1vZC4VchdXDXgelaz-6UEdYoHqt5Vf8N3p-PWP2QvsYnyb2l-G-i6_Eov532bLcEQ-Um6s5zdwr9vsoyF3PRtVnghWbJdSO9Hujg0Q024KTKHxJ5MPBBA2Yy_QzkOojaX5YdKeNGWB86ybrqkXs6Maf5V_NSz3f_lFrZK85X9gnKRMhNA16CIgC2NbTM9eD8jN-zL1rd1aMh3Uih5wE?testcase_id=5438944172048384 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 10 2017
I think my flag negation change might have made the --no-crankshaft ineffective when paired with --turbo (Mythri noticed this yesterday). There was an implication between turbo and crankshaft which I'd didn't notice. I'll take a look today.
,
Mar 10 2017
Would it also be useful to add an explicit --no-turbo to the ignition baseline? https://chromium-review.googlesource.com/c/452480/ - so far we only use the filter.
,
Mar 10 2017
Had a small discussion with Michi, will send around a doc soon.
,
Mar 10 2017
Michi and I both discussed the same plan we had to remove the turbo->crankshaft implication - this was bogus and meant no-crankshaft wouldn't work with turbo enabled. Michi has a CL, hopefully this will fix it otherwise I'll have another look.
,
Mar 10 2017
As for the problem in this CL, as analyzed in the doc, I think because turbo was off, the negation CL implied ignition switched off too. Switching it on explicitly had no effect so we essentially got fullcode here. Error caret differences between fullcode and ignition are known, so I think the clusterfuzz bug here is wontfix.
,
Mar 10 2017
With "this CL" above I meant "this issue"
,
Mar 10 2017
ClusterFuzz testcase 5438944172048384 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 10 2017
Inventing a new label v8-foozzie-legacy for real issues in the old pipeline we won't fix anymore.
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by machenb...@chromium.org
, Mar 9 2017