V8 correctness failure in configs: x64,ignition:x64,slow_path_opt |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6719975574994944 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,slow_path_opt sources: f6e Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50381:50382 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6719975574994944 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Mar 1 2018
This was incorrectly minimized and hence incorrectly bisected. The output without minimization is:
# V8 correctness failure
# V8 correctness configs: x64,ignition:x64,slow_path_opt
# V8 correctness sources: f6e
# V8 correctness suppression:
#
# CHECK
#
# Compared x64,ignition with x64,slow_path_opt
#
# Flags of x64,ignition:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed -1932137123 --turbo-filter=~ --noopt --suppress-asm-messages
# Flags of x64,slow_path_opt:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed -1932137123 --always-opt --force-slow-path --suppress-asm-messages
#
# Difference:
- FAILURE
#
# Source file:
/v8/test/mjsunit/math-deopt.js
#
### Start of configuration x64,ignition:
js-mutation: start generated test case
v8-foozzie source: /v8/test/mjsunit/es6/classes-super.js
[,,,,,,,,,]
v8-foozzie source: /v8/test/mjsunit/newline-in-string.js
"'asdf\\\n\rasdf'"
"asdf\nasdf\rasdf\tasdf\\"
v8-foozzie source: /v8/test/mjsunit/regress/regress-crbug-621868.js
Object()
Object()
v8-foozzie source: /v8/test/mjsunit/setters-on-elements.js
Caught: ReferenceError: empty_func is not defined
Caught: ReferenceError: create_func_smi is not defined
Object()
Object()
Object()
false
2147483648
function() {}
Object()
Object()
Object()
-1
v8-foozzie source: /v8/test/mjsunit/math-deopt.js
FAILURE
FAILURE
FAILURE
FAILURE
FAILURE
FAILURE
FAILURE
FAILURE
FAILURE
FAILURE
### End of configuration x64,ignition
#
### Start of configuration x64,slow_path_opt:
js-mutation: start generated test case
v8-foozzie source: /v8/test/mjsunit/es6/classes-super.js
[,,,,,,,,,]
v8-foozzie source: /v8/test/mjsunit/newline-in-string.js
"'asdf\\\n\rasdf'"
"asdf\nasdf\rasdf\tasdf\\"
v8-foozzie source: /v8/test/mjsunit/regress/regress-crbug-621868.js
Object()
Object()
v8-foozzie source: /v8/test/mjsunit/setters-on-elements.js
Caught: ReferenceError: empty_func is not defined
Caught: ReferenceError: create_func_smi is not defined
Object()
Object()
Object()
false
2147483648
function() {}
Object()
Object()
Object()
-1
v8-foozzie source: /v8/test/mjsunit/math-deopt.js
### End of configuration x64,slow_path_opt
,
Mar 8 2018
Wrong test case. Fixed by: https://chromium.googlesource.com/v8/v8/+/f24b9271de9815677d499fe4ceb4e69861d8539d
,
Mar 15 2018
ClusterFuzz testcase 6719975574994944 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace. |
|||
►
Sign in to add a comment |
|||
Comment 1 by ClusterFuzz
, Mar 1 2018Owner: machenb...@chromium.org
Status: Assigned (was: Untriaged)