New issue
Advanced search Search tips

Issue 792843 link

Starred by 2 users
Status: Duplicate
Merged: issue 795377
Owner:
marja@chromium.org
Closed: Jan 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

V8 correctness failure in configs: x64,ignition_turbo_opt:x64,ignition_turbo_opt_eager

Project Member Reported by ClusterFuzz, Dec 7 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5715000907005952

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition_turbo_opt:x64,ignition_turbo_opt_eager
  sources: 590
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=47802:47803

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5715000907005952

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Dec 7 2017

Labels: Test-Predator-Auto-Owner
Owner: marja@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/36d703778ccd0d2777e0d4b69ed6e65e39a9f521 ([parser] Tentatively enable FLAG_preparser_scope_analysis.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 2 by marja@chromium.org, Jan 8 2018 

The repro is:

function ToInteger() {
 if((x === +0)
 || (x === Number.NEGATIVE_INFINITY)){
 }
}
var __v_13 = undefined;
var __v_15 = {};
print("v8-foozzie source: /test262/language/expressions/class/dstr-meth-static-ary-ptrn-elem-ary-empty-init.js");
__v_6 = class {
 static method([[] = function() { __v_15 += 1; return __v_13; }()]) {
 }
};
__v_6.method([]);

... isn't this a duplicate of something...? I don't remember.

Comment 3 by marja@chromium.org, Jan 8 2018

Mergedinto: 795377
Status: Duplicate (was: Assigned)

Sign in to add a comment