New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 708144 link

Starred by 2 users
Status: Duplicate
Merged: issue 705324
Owner:
mstarzinger@chromium.org
Closed: Jun 2017
Cc:
bradnelson@chromium.org
marja@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug


Participants' hotlists:
Hotlist-AsmJsParser


Sign in to add a comment

V8 correctness failure in configs: x64,ignition:x64,ignition_turbo_opt

Project Member Reported by ClusterFuzz, Apr 4 2017

Comment 1 by machenb...@chromium.org, Apr 5 2017

Cc: bradnelson@chromium.org mstarzinger@chromium.org marja@chromium.org
Labels: -Pri-1 Pri-3
Status: Available (was: Untriaged)
// Looks like a fullcode vs ignition problem? I.e. from old validator. Though, this also repros with ignition_turbo_opt vs. x64,ignition_turbo_opt_eager.

A = {}
__v_0 = new Proxy(A, { get(property) {} });
function __f_4() {
  "use asm";
  function __f_5() {
    __v_0 = __v_0|0;
  }
  return { __f_5: __f_5 };
}
__f_4().__f_5();

// Output:
# Compared x64,ignition_turbo_opt with x64,ignition_turbo_opt_eager
#
# Flags of x64,ignition_turbo_opt:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo --always-opt
# Flags of x64,ignition_turbo_opt_eager:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo --always-opt --no-lazy --no-lazy-inner-functions
#
# Difference:
- ./repro.js:6: TypeError: Cannot convert object to primitive value
+ ./repro.js:7: TypeError: Cannot convert object to primitive value
#
# Source file:
none
#
### Start of configuration x64,ignition_turbo_opt:
./repro.js:6: TypeError: Cannot convert object to primitive value
  function __f_5() {
                ^



### End of configuration x64,ignition_turbo_opt
#
### Start of configuration x64,ignition_turbo_opt_eager:
./repro.js:7: TypeError: Cannot convert object to primitive value
    __v_0 = __v_0|0;
                 ^



### End of configuration x64,ignition_turbo_opt_eager

Comment 2 by machenb...@chromium.org, Apr 11 2017 

 Issue 709740  has been merged into this issue.

Comment 3 by mstarzinger@chromium.org, Apr 27 2017 

 Issue 715231  has been merged into this issue.
Project Member

Comment 4 by ClusterFuzz, May 16 2017 

ClusterFuzz has detected this issue as fixed in range 45316:45317.

Detailed report: https://clusterfuzz.com/testcase?key=5033011503693824

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo_opt
  sources: none
  
Sanitizer: address (ASAN)

Regressed: V8: 43536:43537
Fixed: V8: 45316:45317

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5033011503693824


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, May 16 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase 5191473164451840 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 6 by mstarzinger@chromium.org, May 16 2017

Labels: ClusterFuzz-Wrong
Status: Assigned (was: Verified)
Nope, pretty sure this is still a thing.

Comment 7 by mstarzinger@chromium.org, Jun 29 2017

Cc: -mstarzinger@chromium.org
Owner: mstarzinger@chromium.org

Comment 8 by mstarzinger@chromium.org, Jun 29 2017

Mergedinto: 705324
Status: Duplicate (was: Assigned)

Comment 9 by infe...@chromium.org, Sep 18 2017

Labels: -ClusterFuzz-Wrong
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Sign in to add a comment