Detailed report: https://clusterfuzz.com/testcase?key=5559759848865792 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: e28 Sanitizer: address (ASAN) Regressed: V8: 44217:44218 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96x3VihKZpQPZXkvwDMMzXPxJ1TI3EaZbdXUqb5_0puL6x4OZg73vqhwRTIItVTHEAi2VwOhrT0zbgfQv81WbeSjJx0BkSLwbM5YuNIC_IE83SkrH4Y2DB0tlisWISi4bgOKCYnzEawSpw67useYu9x_i4jLBh0Es-pKsErbjNvmjebN2sDPlhXRPDzKvwMVt-hAxNo9THWK6bUQAlRD4b2kRZ9kvUcGoQBCQ0HMqDGsmWdgVtF3el9hFSdB3FFfTimit6DC78seuOQVwLVk2X4YJZ7TC1es_vgpbfTCpbQGz_E6a2jrzjdfKlR4sGjtNfAcImGPSwmh2h4SjKvZSYTJqOG54f3WrIStyflMFItcE0YZvWWPki9PdXTr1SomDjOrp9qYI-ME7SG2q9zZ0deovmo8w?testcase_id=5559759848865792 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
// Repro: var __v_3 = {}; function __f_2() { print([__v_3].reduceRight(function () { })); } __f_2(); %OptimizeFunctionOnNextCall(__f_2); __f_2(); // Output: # Compared x64,ignition with x64,ignition_turbo # # Flags of x64,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo-filter=~ --hydrogen-filter=~ --nocrankshaft # Flags of x64,ignition_turbo: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo # # Difference: - [object Object] + undefined # # Source file: none # ### Start of configuration x64,ignition: [object Object] [object Object] ### End of configuration x64,ignition # ### Start of configuration x64,ignition_turbo: [object Object] undefined ### End of configuration x64,ignition_turbo
ClusterFuzz has detected this issue as fixed in range 44592:44593. Detailed report: https://clusterfuzz.com/testcase?key=5559759848865792 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: e28 Sanitizer: address (ASAN) Regressed: V8: 44217:44218 Fixed: V8: 44592:44593 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96x3VihKZpQPZXkvwDMMzXPxJ1TI3EaZbdXUqb5_0puL6x4OZg73vqhwRTIItVTHEAi2VwOhrT0zbgfQv81WbeSjJx0BkSLwbM5YuNIC_IE83SkrH4Y2DB0tlisWISi4bgOKCYnzEawSpw67useYu9x_i4jLBh0Es-pKsErbjNvmjebN2sDPlhXRPDzKvwMVt-hAxNo9THWK6bUQAlRD4b2kRZ9kvUcGoQBCQ0HMqDGsmWdgVtF3el9hFSdB3FFfTimit6DC78seuOQVwLVk2X4YJZ7TC1es_vgpbfTCpbQGz_E6a2jrzjdfKlR4sGjtNfAcImGPSwmh2h4SjKvZSYTJqOG54f3WrIStyflMFItcE0YZvWWPki9PdXTr1SomDjOrp9qYI-ME7SG2q9zZ0deovmo8w?testcase_id=5559759848865792 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by machenb...@chromium.org
, Mar 31 2017// Repro: var __v_3 = {}; function __f_2() { print([__v_3].reduceRight(function () { })); } __f_2(); %OptimizeFunctionOnNextCall(__f_2); __f_2(); // Output: # Compared x64,ignition with x64,ignition_turbo # # Flags of x64,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo-filter=~ --hydrogen-filter=~ --nocrankshaft # Flags of x64,ignition_turbo: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo # # Difference: - [object Object] + undefined # # Source file: none # ### Start of configuration x64,ignition: [object Object] [object Object] ### End of configuration x64,ignition # ### Start of configuration x64,ignition_turbo: [object Object] undefined ### End of configuration x64,ignition_turbo