V8 correctness failure in configs: x64,ignition_turbo:ia32,ignition_turbo |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4867123554549760 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition_turbo:ia32,ignition_turbo sources: 55f Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=52309:52310 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4867123554549760 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Apr 3 2018
The test case that Clusterfuzz came up with just allocates memory and appends it to an array in a loop. There's really no other reasonable option here than running out of memory. Is there a way we can tell the fuzzer this is expected?
,
Apr 3 2018
,
Apr 4 2018
Usually we crash on OOM. If one of the two correctness-fuzzing runs crashes, it's disregarded. A bunch of situations where we don't crash, but expose differences between architectures are handled with the --abort_on_stack_or_string_length_overflow flag, which is passed for correctness fuzzing. Could you maybe insert an artificial "abort" in the situation you run into (behind this flag)?
,
Apr 4 2018
ClusterFuzz has detected this issue as fixed in range 52333:52334. Detailed report: https://clusterfuzz.com/testcase?key=4867123554549760 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition_turbo:ia32,ignition_turbo sources: 55f Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=52309:52310 Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=52333:52334 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4867123554549760 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 4 2018
ClusterFuzz testcase 4867123554549760 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Apr 4 2018
Guess a reland will let this buble up again and it still might require a different fix/suppression.
,
Apr 5 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e90a052ef3ffd3dd44c4a751d49564bb0aac7a7a commit e90a052ef3ffd3dd44c4a751d49564bb0aac7a7a Author: Eric Holk <eholk@chromium.org> Date: Thu Apr 05 17:00:03 2018 [wasm] Crash on out of memory under correctness fuzzer Bug: chromium:828293 Change-Id: I37002c308738eef1366d82a90b7b29d6e44d6c48 Reviewed-on: https://chromium-review.googlesource.com/996585 Commit-Queue: Eric Holk <eholk@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#52405} [modify] https://crrev.com/e90a052ef3ffd3dd44c4a751d49564bb0aac7a7a/src/wasm/wasm-memory.cc |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Apr 3 2018Owner: eholk@chromium.org
Status: Assigned (was: Untriaged)