// Regression range points to:
https://chromium.googlesource.com/v8/v8/+/c2f4498f4680fee60606d176aacfaf2c81b66aa0

// Repro:
var v0 = {};
v1 = function() {
  print(v1.caller == null);
}
v0.valueOf = v1;

function foo() { Number(v0); }

foo();
%OptimizeFunctionOnNextCall(foo);
foo();

// Output:
# Compared x64,ignition with x64,ignition_turbo
#
# Flags of x64,ignition:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo-filter=~ --hydrogen-filter=~ --noopt
# Flags of x64,ignition_turbo:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo
#
# Difference:
- true
+ false
#
# Source file:
none
#
### Start of configuration x64,ignition:
true
true

### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo:
true
false

### End of configuration x64,ignition_turbo

Detailed report: https://clusterfuzz.com/testcase?key=5592498931236864

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo_opt
  sources: 9d2
  
Sanitizer: address (ASAN)

Regressed: V8: 45011:45012

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5592498931236864


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Jakob, can you check what to do about this diff?

Thought this might be an ignition problem. I like the turbofan version better - no idea if that's spec'ed.

My understanding is that the Ignition version is correct.

The built-in "Number" function is a strict-mode function, and should not show up as valueOf's .caller; instead .caller should be "null". (See also regress-105.js.)

TurboFan lowers the "Number(v0)" call to a JSToNumber node, and then to a call to the ToNumber builtin, which is not marked as strict mode and hence lets the next-level caller, foo, "shine through".

Maybe we can mark the ToNumber builtin as strict? I suspect that doing so would require distinguishing within TF between explicit "Number(...)" calls and implicitly inserted ToNumber conversions.

Maybe explicit "Number(...)" calls have to be lowered to calls to the "NumberConstructor" builtin instead?

This is known. We don't have a good answer for this yet, but we will probably mark the JSToNumber lowering with something in the translations, so that the Deoptimizer knows that there's a builtin inlined into code.

 Issue 718937  has been merged into this issue.

 Issue 719247  has been merged into this issue.

 Issue 721308  has been merged into this issue.

 Issue 722004  has been merged into this issue.

Given the number of duplicates, any clever idea how to suppress this? (or fix?)

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/762d689c8ba9305510fb6c1713f2a86007bbf7de

commit 762d689c8ba9305510fb6c1713f2a86007bbf7de
Author: Michael Achenbach <machenbach@chromium.org>
Date: Mon May 15 19:35:48 2017

[foozzie] Add suppression for .caller

NOTRY=true

Bug:  chromium:718739 
Change-Id: Ie28b3848a3809473d6c8757e7a86e3a786483ef1
Reviewed-on: https://chromium-review.googlesource.com/506090
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45317}
[modify] https://crrev.com/762d689c8ba9305510fb6c1713f2a86007bbf7de/tools/foozzie/testdata/failure_output.txt
[modify] https://crrev.com/762d689c8ba9305510fb6c1713f2a86007bbf7de/tools/foozzie/testdata/fuzz-123.js
[modify] https://crrev.com/762d689c8ba9305510fb6c1713f2a86007bbf7de/tools/foozzie/v8_suppressions.py

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/762d689c8ba9305510fb6c1713f2a86007bbf7de

commit 762d689c8ba9305510fb6c1713f2a86007bbf7de
Author: Michael Achenbach <machenbach@chromium.org>
Date: Mon May 15 19:35:48 2017

[foozzie] Add suppression for .caller

NOTRY=true

Bug:  chromium:718739 
Change-Id: Ie28b3848a3809473d6c8757e7a86e3a786483ef1
Reviewed-on: https://chromium-review.googlesource.com/506090
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45317}
[modify] https://crrev.com/762d689c8ba9305510fb6c1713f2a86007bbf7de/tools/foozzie/testdata/failure_output.txt
[modify] https://crrev.com/762d689c8ba9305510fb6c1713f2a86007bbf7de/tools/foozzie/testdata/fuzz-123.js
[modify] https://crrev.com/762d689c8ba9305510fb6c1713f2a86007bbf7de/tools/foozzie/v8_suppressions.py

ClusterFuzz has detected this issue as fixed in range 45316:45317.

Detailed report: https://clusterfuzz.com/testcase?key=4949890823356416

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: 9c1
  
Sanitizer: address (ASAN)

Regressed: V8: 45011:45012
Fixed: V8: 45316:45317

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4949890823356416


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 45316:45317.

Detailed report: https://clusterfuzz.com/testcase?key=5592498931236864

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo_opt
  sources: 9d2
  
Sanitizer: address (ASAN)

Regressed: V8: 45011:45012
Fixed: V8: 45316:45317

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5592498931236864


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2178590afdeb50510d1f44018f696a9afc5a5f84

commit 2178590afdeb50510d1f44018f696a9afc5a5f84
Author: Michael Achenbach <machenbach@chromium.org>
Date: Tue May 16 07:39:24 2017

[foozzie] Fix detection of suppression delimiter

NOTRY=true
TBR=jkummerow@chromium.org,bmeurer@chromium.org

Bug:  chromium:718739 
Change-Id: I9b80a3098bf2c8d3a294e1908f058cabe1ed758c
Reviewed-on: https://chromium-review.googlesource.com/506092
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45322}
[modify] https://crrev.com/2178590afdeb50510d1f44018f696a9afc5a5f84/tools/foozzie/v8_suppressions.py

ClusterFuzz testcase 4949890823356416 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This is suppressed now, not fixed.

 Issue 722682  has been merged into this issue.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

 Issue 776316  has been merged into this issue.

neis@ recently disabled the TurboFan optimization, so this should be fixed. Assigning to neis@ to verify what I said.

Yes I removed it in https://chromium-review.googlesource.com/796070.

machenbach: please remove suppression if appropriate

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a30dbf67dc8a1aa300cdedf79b37441004e9d00e

commit a30dbf67dc8a1aa300cdedf79b37441004e9d00e
Author: Michael Achenbach <machenbach@chromium.org>
Date: Tue Dec 12 09:41:22 2017

[foozzie] Remove suppression for .caller

NOTRY=true

Bug:  chromium:718739 
Change-Id: Iccc658504dac065e986e1f9af2af5f7d2da581bc
Reviewed-on: https://chromium-review.googlesource.com/822092
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50021}
[modify] https://crrev.com/a30dbf67dc8a1aa300cdedf79b37441004e9d00e/tools/foozzie/v8_suppressions.py