New issue
Advanced search Search tips

Issue 774610 link

Starred by 3 users

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

V8 correctness failure in configs: x64,ignition:x64,ignition_eager

Project Member Reported by ClusterFuzz, Oct 13 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5285966398095360

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_eager
  sources: d15
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=44077:44078

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5285966398095360

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Oct 13 2017

Labels: Test-Predator-AutoOwner
Owner: bradley....@gmail.com
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/b123ee34111f643fec6f7b662912deafd1165e3e (Allow global prototype to be a Proxy).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
Cc: marja@chromium.org
@marja: Is this an expected problem with eager vs. lazy?

Comment 3 by marja@chromium.org, Oct 16 2017

Hmm, no, as far as I can tell. The error (which only occurs with --no-lazy) is "__v_6 is not defined", so it's not some lazy parsing vs eager parsing stuff.



Comment 4 by marja@chromium.org, Oct 16 2017

The most minimal case I could come up with:

let weird = 0;

__v_2 = this;
(function () {
  var __v_9 = new Proxy({}, { get() {}});
  Object.setPrototypeOf(__v_2, __v_9);
})();

eval();
function __f_7() {
  __v_6;
 eval();
}
__f_7();
Project Member

Comment 5 by ClusterFuzz, Oct 19 2017

ClusterFuzz has detected this issue as fixed in range 48714:48715.

Detailed report: https://clusterfuzz.com/testcase?key=5285966398095360

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_eager
  sources: d15
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=44077:44078
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=48714:48715

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5285966398095360

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Labels: ClusterFuzz-Wrong
Ignore comment 5.
Labels: -Test-Predator-AutoOwner Test-Predator-Auto-Owner
Labels: -v8-foozzie-failure
Removing v8-foozzie-failure label, because eager-lazy testing has been removed from correctness-fuzzer experiments.

Sign in to add a comment