V8 correctness failure in configs: x64,ignition:x64,slow_path |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4697989544411136 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,slow_path sources: 534 Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50381:50382 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4697989544411136 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 10 2018
,
Jan 10 2018
Nice find! The fast-path check in RegExpPrototypeFlagsGetter incorrectly does not check the prototype. Fix in-flight.
,
Jan 11 2018
,
Jan 11 2018
Issue 800872 has been merged into this issue.
,
Jan 11 2018
Issue 801143 has been merged into this issue.
,
Jan 12 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/4e14a2a4e6cd01c6763b146d46b2310b33990a5b commit 4e14a2a4e6cd01c6763b146d46b2310b33990a5b Author: Jakob Gruber <jgruber@chromium.org> Date: Fri Jan 12 14:06:09 2018 [regexp] Fix fast/slow-path dispatch in RegExp.p.get flags Flag getters (e.g. RegExp.p.get global) are defined on the prototype and thus we need to use the more general BranchIfFastRegExp here instead of IsFastRegExpNoPrototype. Bug: chromium:800538 Change-Id: Ib6bc8a4fd3bf2f7dd31538c8dbb61814106c184b Reviewed-on: https://chromium-review.googlesource.com/859767 Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#50538} [modify] https://crrev.com/4e14a2a4e6cd01c6763b146d46b2310b33990a5b/src/builtins/builtins-regexp-gen.cc [add] https://crrev.com/4e14a2a4e6cd01c6763b146d46b2310b33990a5b/test/mjsunit/regress/regress-800538.js
,
Jan 12 2018
,
Jan 13 2018
ClusterFuzz testcase 5185427530317824 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 13 2018
ClusterFuzz has detected this issue as fixed in range 50537:50538. Detailed report: https://clusterfuzz.com/testcase?key=4697989544411136 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,slow_path sources: 534 Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50381:50382 Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50537:50538 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4697989544411136 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Jan 9 2018Owner: machenb...@chromium.org
Status: Assigned (was: Untriaged)