V8 correctness failure in configs: x64,ignition:x64,ignition_turbo_opt |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6506088873852928 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo_opt sources: 38b Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6506088873852928 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 12 2017
Friendly ping...
,
Jun 13 2017
It looks like TurboFan is correct here and the correct result is 5. Maybe something wrong with the LOAD_GLOBAL_IC in Ignition?
,
Jun 13 2017
FYI, these two CLs are the initial work for inlining LoadGlobalIC in the bytecode handler. Maybe worth checking if they're the cause: 63096bc89d674d6c97bdecdbdfbf98871d1825e0 f46f341303ac4efad5cbcc771d10642aa2c826de
,
Jun 13 2017
Reduced repro:
function set_x() { x = {}; }
set_x();
set_x(); // Needs to be called twice to trigger bug.
print(x); // {}
Object.defineProperty(this, "x", { writable:false, value:5 });
print(x); // 5
set_x();
print(x); // {}, should be 5
Looks to me like the problem is that set_x is allowed to set x despite it being non-writable.
,
Jul 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b30ea1646a487ed818093afa9cf56aa2f5c222b3 commit b30ea1646a487ed818093afa9cf56aa2f5c222b3 Author: Igor Sheludko <ishell@chromium.org> Date: Thu Jul 20 13:39:23 2017 [ic] Properly handle reconfiguring of a global property to 'readonly'. Bug: chromium:722783 Change-Id: Id4612f3d45fb26daca8b4ef2efb0f7bc9ac39ed3 Reviewed-on: https://chromium-review.googlesource.com/579268 Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#46795} [modify] https://crrev.com/b30ea1646a487ed818093afa9cf56aa2f5c222b3/src/objects.cc [add] https://crrev.com/b30ea1646a487ed818093afa9cf56aa2f5c222b3/test/mjsunit/regress/regress-crbug-722783.js
,
Jul 20 2017
,
Jul 21 2017
ClusterFuzz has detected this issue as fixed in range 46794:46795. Detailed report: https://clusterfuzz.com/testcase?key=6506088873852928 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo_opt sources: 38b Sanitizer: address (ASAN) Fixed: V8: 46794:46795 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6506088873852928 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||
►
Sign in to add a comment |
|||
Comment 1 by machenb...@chromium.org
, May 16 2017Components: -Blink>JavaScript Blink>JavaScript>Compiler
Status: Available (was: Untriaged)
// Repros also with ignition_turbo: x = {}; x = []; function __f_4() { x = {}; } %OptimizeFunctionOnNextCall(__f_4); __f_4(); __f_4(); Object.defineProperty(this, "x", { writable:false, value:5 }); __f_4(); print(x); // Output: # Compared x64,ignition with x64,ignition_turbo # # Flags of x64,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition --turbo-filter=~ --hydrogen-filter=~ --novalidate-asm --nocrankshaft # Flags of x64,ignition_turbo: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition-staging --turbo --novalidate-asm # # Difference: - [object Object] + 5 # ### Start of configuration x64,ignition: [object Object] ### End of configuration x64,ignition # ### Start of configuration x64,ignition_turbo: 5 ### End of configuration x64,ignition_turbo