New issue
Advanced search Search tips

Issue 781381 link

Starred by 1 user
Status: Duplicate
Merged: issue 781506
Owner:
bmeu...@chromium.org
Closed: Nov 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

V8 correctness failure in configs: x64,ignition:x64,ignition_turbo

Project Member Reported by ClusterFuzz, Nov 3 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5332656081600512

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: 945
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=49094:49095

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5332656081600512

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Nov 3 2017

Labels: Test-Predator-AutoOwner
Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/b7168573ed011113746873fd92b71e8bcc9dddb1 ([turbofan] Generalized OOB support for KeyedLoadIC.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 2 by bmeu...@chromium.org, Nov 4 2017

Mergedinto: 781506
Status: Duplicate (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Nov 4 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/fd150c79884f4ae522dd5c80350e90f4d8a7a2ba

commit fd150c79884f4ae522dd5c80350e90f4d8a7a2ba
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Sat Nov 04 12:06:31 2017

[turbofan] Generate the correct bounds when the array protector isn't valid.

The condition for bounds check generation was not in sync with the
condition that was used for the actual access, which lead to invalid
memory accesses when the array protector was invalid.

Tbr: tebbi@chromium.org
Bug:  chromium:781506 ,  chromium:781494 ,  chromium:781457 ,  chromium:781285 ,  chromium:781381 ,  chromium:781380 , v8:6936,  v8:7014 ,  v8:7027 
Change-Id: Ia5b2ad02940292572ed9b37abd3f9ffaa6d7a26b
Reviewed-on: https://chromium-review.googlesource.com/753590
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49124}
[modify] https://crrev.com/fd150c79884f4ae522dd5c80350e90f4d8a7a2ba/src/compiler/js-native-context-specialization.cc
[add] https://crrev.com/fd150c79884f4ae522dd5c80350e90f4d8a7a2ba/test/mjsunit/regress/regress-crbug-781506-1.js
[add] https://crrev.com/fd150c79884f4ae522dd5c80350e90f4d8a7a2ba/test/mjsunit/regress/regress-crbug-781506-2.js
[add] https://crrev.com/fd150c79884f4ae522dd5c80350e90f4d8a7a2ba/test/mjsunit/regress/regress-crbug-781506-3.js
Project Member

Comment 4 by ClusterFuzz, Nov 5 2017 

ClusterFuzz has detected this issue as fixed in range 49123:49124.

Detailed report: https://clusterfuzz.com/testcase?key=5332656081600512

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: 945
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=49094:49095
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=49123:49124

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5332656081600512

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 5 by mbarbe...@chromium.org, Nov 7 2017

Labels: -Test-Predator-AutoOwner Test-Predator-Auto-Owner

Sign in to add a comment