V8 correctness failure in configs: x64,ignition:arm,ignition |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5537529834242048 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:arm,ignition sources: 470 Sanitizer: address (ASAN) Regressed: V8: 43152:43153 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5537529834242048 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jul 17 2017
+ mstarzinger: I remember seeing something similar before. Maybe this is a duplicate?
,
Jul 17 2017
I think I remembered issue 727029 which might have a similar problem...
,
Jul 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/c7854ed9571fcae018ae471858421e745b68f78f commit c7854ed9571fcae018ae471858421e745b68f78f Author: Camillo Bruni <cbruni@chromium.org> Date: Tue Jul 25 13:26:03 2017 [builtins] Array.prototype.sort bug Bug: chromium:743154 Change-Id: Id5b2a91a9242326b1dafccc4aeb95e18fb0fc8d8 Reviewed-on: https://chromium-review.googlesource.com/580928 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#46873} [modify] https://crrev.com/c7854ed9571fcae018ae471858421e745b68f78f/src/runtime/runtime-array.cc [add] https://crrev.com/c7854ed9571fcae018ae471858421e745b68f78f/test/mjsunit/regress/regress-crbug-743154.js
,
Jul 26 2017
ClusterFuzz has detected this issue as fixed in range 46872:46873. Detailed report: https://clusterfuzz.com/testcase?key=5537529834242048 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:arm,ignition sources: 470 Sanitizer: address (ASAN) Regressed: V8: 43152:43153 Fixed: V8: 46872:46873 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5537529834242048 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 26 2017
ClusterFuzz testcase 5537529834242048 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 27 2017
Issue 727029 has been merged into this issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by machenb...@chromium.org
, Jul 17 2017Owner: cbruni@chromium.org
Status: Assigned (was: Untriaged)
PTAL cbruni Small repro: Object.prototype[1] = 1.5; var v = { length: 12, [1073741824]: 0 }; print(Object.keys(v)) Array.prototype.sort.call(v); print(Object.keys(v)) x64: 1073741824,length 0,1073741824,length arm: 1073741824,length 0,1,1073741824,length The 1 shows up as soon as we use 1073741824. With just 1073741823 it doesn't.