Issue metadata
Sign in to add a comment
|
V8 correctness failure in configs: x64,ignition:x64,ignition_turbo_opt |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5009128465629184 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo_opt sources: eed Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97EW6b4xDx146pQKcXmYPtwKgaZQTAa-6CxoBVlL-_o1Ix-074w-1iBqume5KZOI8abg4r5mi5Qc9LB_CeMveVLQSSsmf8w6tKLOpg7_IVrU1uPhOwInWfsMpF9yIei9N4q8OIfiHd9vmCL8iJ13qnzXklXjJQsyoZj3va_SYWxbFwRgFuczxFEjlSKcCHaJzP-RzgQ1yoBlcbcj-42b2EcuQWBh1y04DZPceTh_nUzjjOM0oG2xoyz-VG4B5L9Acsgwz3STngOhD-hWHuG5jQ0XogS7Fkqf9qDOfBhj6q-WBUHJ9lnRBICb7odTOZ6Z4bzAVSAw1wmML7yQXk6QI6nn2wzN_bjjW_SKNwZ-NYcEnrdJOFflqAs4AVXngSTMT1qtV2kn1SP1qtT562WDaCs5rutOg?testcase_id=5009128465629184 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 30 2017
Confused interpreter with turbofan...
,
Mar 30 2017
This is the BytecodeGraphBuilder, so it is actually TurboFan :). Adding back Benedikt and Jaro.
,
Apr 1 2017
ClusterFuzz has detected this issue as fixed in range 44307:44308. Detailed report: https://clusterfuzz.com/testcase?key=5009128465629184 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo_opt sources: eed Sanitizer: address (ASAN) Fixed: V8: 44307:44308 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97EW6b4xDx146pQKcXmYPtwKgaZQTAa-6CxoBVlL-_o1Ix-074w-1iBqume5KZOI8abg4r5mi5Qc9LB_CeMveVLQSSsmf8w6tKLOpg7_IVrU1uPhOwInWfsMpF9yIei9N4q8OIfiHd9vmCL8iJ13qnzXklXjJQsyoZj3va_SYWxbFwRgFuczxFEjlSKcCHaJzP-RzgQ1yoBlcbcj-42b2EcuQWBh1y04DZPceTh_nUzjjOM0oG2xoyz-VG4B5L9Acsgwz3STngOhD-hWHuG5jQ0XogS7Fkqf9qDOfBhj6q-WBUHJ9lnRBICb7odTOZ6Z4bzAVSAw1wmML7yQXk6QI6nn2wzN_bjjW_SKNwZ-NYcEnrdJOFflqAs4AVXngSTMT1qtV2kn1SP1qtT562WDaCs5rutOg?testcase_id=5009128465629184 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 1 2017
ClusterFuzz testcase 5009128465629184 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Apr 1 2017
Ross, please verify that https://chromium.googlesource.com/v8/v8/+/a4c6126a836bae6af70220ce90386d322885e958 also solved everything about this issue. Could you check in a regression test?
,
Apr 3 2017
The underlying bug is in the parser and that hasn't been fixed yet (the CHECK just makes if fail deterministically). Duping with the underlying bug and Marja should add a regression test when it is fixed. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by machenb...@chromium.org
, Mar 30 2017Labels: -Pri-1 Pri-2
Status: Available (was: Untriaged)
Another instance of a C++ throw instead of crash. This time with simpler repro. Bt looks like this: #5 0x00007ffff770e922 in __cxxabiv1::__cxa_throw (obj=0x555556239930, tinfo=0x7ffff79981f0 <typeinfo for std::out_of_range>, dest= 0x7ffff77228b0 <std::out_of_range::~out_of_range()>) at ../../../../src/libstdc++-v3/libsupc++/eh_throw.cc:87 #6 0x00007ffff7760447 in std::__throw_out_of_range (__s=<optimized out>) at ../../../../../src/libstdc++-v3/src/c++11/functexcept.cc:80 #7 0x0000555555784931 in v8::internal::compiler::BytecodeGraphBuilder::Environment::LookupRegister(v8::internal::interpreter::Register) const ()