V8 correctness failure in configs: x64,ignition:ia32,ignition |
|||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5435814321586176 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:ia32,ignition sources: 97e Sanitizer: address (ASAN) Regressed: V8: 45377:45378 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5435814321586176 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 7 2017
I'll take a look.
,
Aug 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/81778aaf72d0daded8470afdd14203a70707117b commit 81778aaf72d0daded8470afdd14203a70707117b Author: Tobias Tebbi <tebbi@chromium.org> Date: Mon Aug 07 17:41:06 2017 [builtins] Fix ArrayShift for double elements kind if head is the hole. The code accidentally jumped over the actual left-shift part when the head of the array was the hole. Bug: chromium:752722 Change-Id: I300a3ebcfafb07d6ecebc01fa57c66eb26f349ac Reviewed-on: https://chromium-review.googlesource.com/603717 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#47204} [modify] https://crrev.com/81778aaf72d0daded8470afdd14203a70707117b/src/builtins/builtins-array-gen.cc
,
Aug 8 2017
The bug is that Array.shift does not move the elements of an array with doubles if the head is the hole. This might lead to Javascript bugs like endless loops when trying to shift through an array with holes.
,
Aug 8 2017
hablich@ for M61 merge review. Please note M61 is already in Beta and bar is VERY high to take the merge in as per new merge process.
,
Aug 8 2017
ClusterFuzz has detected this issue as fixed in range 47203:47204. Detailed report: https://clusterfuzz.com/testcase?key=5435814321586176 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:ia32,ignition sources: 97e Sanitizer: address (ASAN) Regressed: V8: 45377:45378 Fixed: V8: 47203:47204 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5435814321586176 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e08d1ebe3cecac38717327d2ea8c32dafdc81e83 commit e08d1ebe3cecac38717327d2ea8c32dafdc81e83 Author: Tobias Tebbi <tebbi@chromium.org> Date: Tue Aug 08 08:16:42 2017 [builtins] add test for Array.shift on holey double array Adding the missing test for https://chromium-review.googlesource.com/c/603717. Bug: chromium:752722 Change-Id: I8a4ca161b691532e481ebe9f7d05c306beb4c90a Reviewed-on: https://chromium-review.googlesource.com/604792 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#47212} [modify] https://crrev.com/e08d1ebe3cecac38717327d2ea8c32dafdc81e83/test/mjsunit/array-shift5.js
,
Aug 8 2017
ClusterFuzz testcase 5435814321586176 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 8 2017
This is definitely something we should merge back as it can be the source of random JavaScript behaviour. Normally we get feedback on bugs like this only via the Stable channel, I am glad this was caught earlier!
,
Aug 8 2017
Is this also on Chrome 60?
,
Aug 9 2017
Yes, it also affects M60, unfortunately.
,
Aug 9 2017
,
Aug 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/abb88a751ad1f0dd7d58d33e3141c18dbb42dd11 commit abb88a751ad1f0dd7d58d33e3141c18dbb42dd11 Author: Tobias Tebbi <tebbi@chromium.org> Date: Wed Aug 09 12:32:25 2017 Merged: [builtins] Fix ArrayShift for double elements kind if head is the hole. Revision: 81778aaf72d0daded8470afdd14203a70707117b BUG= chromium:752722 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=bmeurer@chromium.org Change-Id: I42479055f7ca34504b27723075c27787f2b7dcc1 Reviewed-on: https://chromium-review.googlesource.com/608130 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/branch-heads/6.1@{#41} Cr-Branched-From: 1bf2e10ddb194d4c2871a87a4732613419de892d-refs/heads/6.1.534@{#1} Cr-Branched-From: e825c4318eb2065ffdf9044aa6a5278635c36427-refs/heads/master@{#46746} [modify] https://crrev.com/abb88a751ad1f0dd7d58d33e3141c18dbb42dd11/src/builtins/builtins-array-gen.cc
,
Aug 9 2017
,
Aug 11 2017
Please also merge to 6.0
,
Aug 15 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 16 2017
Issue 753927 has been merged into this issue.
,
Aug 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/8554d91dca459ba71c64986538d133a8c8ce3db0 commit 8554d91dca459ba71c64986538d133a8c8ce3db0 Author: Tobias Tebbi <tebbi@chromium.org> Date: Wed Aug 16 13:03:07 2017 Merged: [builtins] Fix ArrayShift for double elements kind if head is the hole. It didn't apply cleanly because of the ElementsKind renaming. Revision: 81778aaf72d0daded8470afdd14203a70707117b BUG= chromium:752722 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=bmeurer@chromium.org Change-Id: I23fb93f805b07c54432b30bbc2c305215474ec20 Reviewed-on: https://chromium-review.googlesource.com/616726 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/branch-heads/6.0@{#110} Cr-Branched-From: 97dbf624a5eeffb3a8df36d24cdb2a883137385f-refs/heads/6.0.286@{#1} Cr-Branched-From: 12e6f1cb5cd9616da7b9d4a7655c088778a6d415-refs/heads/master@{#45439} [modify] https://crrev.com/8554d91dca459ba71c64986538d133a8c8ce3db0/src/builtins/builtins-array-gen.cc
,
Aug 18 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 21 2017
,
Oct 10 2017
|
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by machenb...@chromium.org
, Aug 7 2017Owner: tebbi@chromium.org
Status: Assigned (was: Untriaged)