V8 correctness failure in configs: x64,ignition:x64,ignition_turbo_opt |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6020347917500416 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo_opt sources: b4a Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=47298:47299 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6020347917500416 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Mar 12 2018
PTAL
,
Mar 12 2018
,
Mar 12 2018
Better repro:
function foo() {
try {
eval("hello");
} catch (e) {
return;
}
boom();
}
function bar() {
gc();
foo();
foo();
}
this.__proto__ = new Proxy({},{});
try {
bar();
print('not thrown');
} catch (e) {
}
try {
bar();
print('not thrown');
} catch (e) {
}
try {
bar();
print('not thrown');
} catch (e) {
}
try {
bar();
print('not thrown');
} catch (e) {
}
try {
bar();
print('not thrown');
} catch (e) {
}
// output:
# Compared x64,ignition with x64,ignition_turbo_opt
#
# Flags of x64,ignition:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 704438003 --turbo-filter=~ --noopt --suppress-asm-messages
# Flags of x64,ignition_turbo_opt:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 704438003 --always-opt --suppress-asm-messages --stress-compaction-random
#
# Difference:
+ not thrown
#
# Source file:
none
#
### Start of configuration x64,ignition:
not thrown
### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo_opt:
not thrown
not thrown
### End of configuration x64,ignition_turbo_opt
,
Mar 15 2018
,
Mar 15 2018
,
Mar 15 2018
Igor, can you have a look please? This issue is the context of my recent email, which also includes an example that demonstrates incorrect behavior independent of Turbofan. The strange behavior was introduced with Maya's CL (see above) but I couldn't pinpoint it.
,
Mar 15 2018
For the record:
FIRST EXAMPLE:
$ cat proxy.js
function bar() { eval("bla"); }
this.__proto__ = new Proxy({}, {});
try { gc(); bar(); print('not thrown'); } catch (e) { print('thrown') }
try { gc(); bar(); print('not thrown'); } catch (e) { print('thrown') }
try { gc(); bar(); print('not thrown'); } catch (e) { print('thrown') }
try { gc(); bar(); print('not thrown'); } catch (e) { print('thrown') }
try { gc(); bar(); print('not thrown'); } catch (e) { print('thrown') }
$ d8 --expose-gc proxy.js
thrown
thrown
thrown
thrown
thrown
SECOND EXAMPLE:
$ cat proxy2.js
// like proxy1.js but without gc()
function bar() { eval("bla"); }
this.__proto__ = new Proxy({}, {});
try { bar(); print('not thrown'); } catch (e) { print('thrown') }
try { bar(); print('not thrown'); } catch (e) { print('thrown') }
try { bar(); print('not thrown'); } catch (e) { print('thrown') }
try { bar(); print('not thrown'); } catch (e) { print('thrown') }
try { bar(); print('not thrown'); } catch (e) { print('thrown') }
$ d8 proxy2.js
thrown
thrown
not thrown
not thrown
not thrown
THIRD EXAMPLE:
$ cat proxy3.js
function foo() { try { eval("bla"); } catch(e) { return }; throw 666 }
function bar() { gc(); foo(); foo(); }
this.__proto__ = new Proxy({}, {});
try { bar(); print('not thrown'); } catch (e) { print('thrown') }
try { bar(); print('not thrown'); } catch (e) { print('thrown') }
try { bar(); print('not thrown'); } catch (e) { print('thrown') }
try { bar(); print('not thrown'); } catch (e) { print('thrown') }
try { bar(); print('not thrown'); } catch (e) { print('thrown') }
$ d8 --expose-gc --noopt proxy3.js
not thrown
thrown
thrown
thrown
thrown
$ d8 --expose-gc --always-opt proxy3.js
not thrown
thrown
thrown
thrown
not thrown
,
Mar 15 2018
Ouch! Interesting! I'll take a look.
,
Jul 6
ClusterFuzz has detected this issue as fixed in range 54236:54237. Detailed report: https://clusterfuzz.com/testcase?key=6020347917500416 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_turbo_opt sources: b4a Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=47298:47299 Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=54236:54237 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6020347917500416 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 6
ClusterFuzz testcase 6020347917500416 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Mar 11 2018Labels: Test-Predator-Auto-CC