V8 correctness failure in configs: x64,ignition:x64,ignition_turbo |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4541730828582912 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: 24e Sanitizer: address (ASAN) Regressed: V8: 44787:44788 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4541730828582912 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 10 2017
Yep, as discussed offline with machenbach@, the flag is gone. There already is a CL in flight that adapts the foozzie configuration ... https://chromium-review.googlesource.com/c/565398/
,
Jul 10 2017
We ignore wrong flags anyways. The issue here is something else. Reduced repro:
function __f_0() { return Reflect.getPrototypeOf(""); }
try {
__f_0();
} catch(e) {}
%OptimizeFunctionOnNextCall(__f_0);
__f_0();
,
Jul 10 2017
OK, thanks! Will take a look. Wrong analysis, right owner nonetheless. :)
,
Jul 10 2017
,
Jul 10 2017
Fix is in flight: https://chromium-review.googlesource.com/c/565295/
,
Jul 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/933a874e1d7e67e7c9502adacd216f52b2839276 commit 933a874e1d7e67e7c9502adacd216f52b2839276 Author: Michael Starzinger <mstarzinger@chromium.org> Date: Tue Jul 11 12:45:12 2017 [turbofan] Fix Reflect.getPrototypeOf on primitives. This fixes the lowering of Reflect.getPrototypeOf and friends to not perform a [[ToObject]] coercion, but bailout instead. We ensure to exclude primitive values from the lowering. This makes the lowering uniform between "Reflect.getPrototypeOf" and "Object.getPrototypeOf". R=bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-740116 BUG= chromium:740116 Change-Id: If986ee2a3ae4e8f1fd227bdeb4668f523b0dea84 Reviewed-on: https://chromium-review.googlesource.com/565295 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#46556} [modify] https://crrev.com/933a874e1d7e67e7c9502adacd216f52b2839276/src/compiler/js-call-reducer.cc [add] https://crrev.com/933a874e1d7e67e7c9502adacd216f52b2839276/test/mjsunit/regress/regress-crbug-740116.js
,
Jul 11 2017
,
Jul 12 2017
ClusterFuzz has detected this issue as fixed in range 46555:46556. Detailed report: https://clusterfuzz.com/testcase?key=4541730828582912 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: 24e Sanitizer: address (ASAN) Regressed: V8: 44787:44788 Fixed: V8: 46555:46556 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4541730828582912 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by hablich@chromium.org
, Jul 10 2017