V8 correctness failure in configs: x64,ignition:x64,ignition_turbo |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5565089536278528 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: 46b Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=49094:49095 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5565089536278528 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 4 2017
,
Nov 4 2017
Issue 781457 has been merged into this issue.
,
Nov 4 2017
Issue 781285 has been merged into this issue.
,
Nov 4 2017
Issue 781381 has been merged into this issue.
,
Nov 4 2017
Issue 781380 has been merged into this issue.
,
Nov 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/fd150c79884f4ae522dd5c80350e90f4d8a7a2ba commit fd150c79884f4ae522dd5c80350e90f4d8a7a2ba Author: Benedikt Meurer <bmeurer@chromium.org> Date: Sat Nov 04 12:06:31 2017 [turbofan] Generate the correct bounds when the array protector isn't valid. The condition for bounds check generation was not in sync with the condition that was used for the actual access, which lead to invalid memory accesses when the array protector was invalid. Tbr: tebbi@chromium.org Bug: chromium:781506 , chromium:781494 , chromium:781457 , chromium:781285 , chromium:781381 , chromium:781380 , v8:6936, v8:7014 , v8:7027 Change-Id: Ia5b2ad02940292572ed9b37abd3f9ffaa6d7a26b Reviewed-on: https://chromium-review.googlesource.com/753590 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#49124} [modify] https://crrev.com/fd150c79884f4ae522dd5c80350e90f4d8a7a2ba/src/compiler/js-native-context-specialization.cc [add] https://crrev.com/fd150c79884f4ae522dd5c80350e90f4d8a7a2ba/test/mjsunit/regress/regress-crbug-781506-1.js [add] https://crrev.com/fd150c79884f4ae522dd5c80350e90f4d8a7a2ba/test/mjsunit/regress/regress-crbug-781506-2.js [add] https://crrev.com/fd150c79884f4ae522dd5c80350e90f4d8a7a2ba/test/mjsunit/regress/regress-crbug-781506-3.js
,
Nov 4 2017
Issue 781532 has been merged into this issue.
,
Nov 4 2017
Issue 781528 has been merged into this issue.
,
Nov 4 2017
Issue 781523 has been merged into this issue.
,
Nov 4 2017
,
Nov 4 2017
Issue 781542 has been merged into this issue.
,
Nov 5 2017
ClusterFuzz has detected this issue as fixed in range 49123:49124. Detailed report: https://clusterfuzz.com/testcase?key=5565089536278528 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo sources: 46b Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=49094:49095 Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=49123:49124 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5565089536278528 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 5 2017
ClusterFuzz testcase 6666268416671744 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 7 2017
,
Jun 20 2018
,
Jun 26 2018
,
Jun 26 2018
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Nov 4 2017Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)