New issue
Advanced search Search tips

Issue 733693 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug


Participants' hotlists:
Hotlist-AsmJsParser


Sign in to add a comment

V8 correctness failure in configs: x64,ignition:x64,ignition_turbo_opt (Exception source positions don't agree)

Project Member Reported by ClusterFuzz, Jun 15 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4994045553410048

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo_opt
  sources: c6e
  
Sanitizer: address (ASAN)

Regressed: V8: 45924:45925

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4994045553410048


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by jarin@chromium.org, Jun 15 2017

Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)
Cc: jarin@chromium.org mstarzinger@chromium.org machenb...@chromium.org
Labels: -Pri-1 Pri-3
Status: Available (was: Assigned)
Summary: V8 correctness failure in configs: x64,ignition:x64,ignition_turbo_opt (Exception source positions don't agree) (was: V8 correctness failure in configs: x64,ignition:x64,ignition_turbo_opt)
Cc: -mstarzinger@chromium.org bmeu...@chromium.org
Owner: mstarzinger@chromium.org
This will be fixed with the asm.js validator as it involves invalid asm.js code. Hence most likely a WontFix in the AstGraphBuilder. I'll hold this for now.
Status: Assigned (was: Available)
 Issue 736663  has been merged into this issue.
Project Member

Comment 6 by ClusterFuzz, Jun 29 2017

ClusterFuzz has detected this issue as fixed in range 46282:46284.

Detailed report: https://clusterfuzz.com/testcase?key=4994045553410048

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo_opt
  sources: c6e
  
Sanitizer: address (ASAN)

Regressed: V8: 45924:45925
Fixed: V8: 46282:46284

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4994045553410048


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Is this really fixed by comment 6? Or does that maybe fix a particular instance only?
Project Member

Comment 8 by ClusterFuzz, Jun 29 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4994045553410048 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Cc: ishell@chromium.org
Labels: ClusterFuzz-Wrong
Status: Assigned (was: Verified)
Please verify this manually as it looks more like an accidental fix.
Re #9: Yes, this is just an "accidental fix", my guess is due to changes of property enumeration order. Status of this issue is unchanged since comment #3, this is a WontFix in the AstGraphBuilder and will be fixed by shipping the asm.js validator.
Cc: mstarzinger@chromium.org clemensh@chromium.org
 Issue 739171  has been merged into this issue.
 Issue 740545  has been merged into this issue.
Status: Fixed (was: Assigned)
This is fixed as of 961a2c885d82502e7c90915883443435d27762d0.
Labels: -ClusterFuzz-Wrong
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Sign in to add a comment