New issue
Advanced search Search tips

Issue 830143 link

Starred by 2 users
Status: Duplicate
Merged: issue 823069
Owner:
machenb...@chromium.org
Closed: Apr 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

V8 correctness failure in configs: x64,ignition:x64,slow_path_opt

Project Member Reported by ClusterFuzz, Apr 7 2018 
Detailed report: https://clusterfuzz.com/testcase?key=4714606447296512

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,slow_path_opt
  sources: dee
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50381:50382

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4714606447296512

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Apr 7 2018

Labels: Test-Predator-Auto-Owner
Owner: machenb...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/0ac7a48ae8c6dbfd1dd4c9e6d5cd4b1a8bd72fe1 ([foozzie] Add slow-path correctness fuzzing variants).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 2 by machenb...@chromium.org, Apr 9 2018 

// Repro. Requires "v8_enable_test_features = true" gn arg to enable the slow-path option in release build.

function __f_0() {
  return __v_3.pop();
}
__v_3 = new Array();
Object.defineProperty(__v_3, "length", {value: 3, writable: false});
__f_0();

// Output:
# Compared x64,ignition with x64,slow_path_opt
#
# Flags of x64,ignition:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-num-compilation-tasks=0 --random-seed -1655104323 --turbo-filter=~ --noopt --suppress-asm-messages
# Flags of x64,slow_path_opt:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-num-compilation-tasks=0 --random-seed -1655104323 --always-opt --force-slow-path --suppress-asm-messages
#
# Difference:
+ repro.js:2: TypeError: Cannot assign to read only property 'length' of object '[object Array]'
#
### Start of configuration x64,ignition:

### End of configuration x64,ignition
#
### Start of configuration x64,slow_path_opt:
repro.js:2: TypeError: Cannot assign to read only property 'length' of object '[object Array]'
  return __v_3.pop();
               ^



### End of configuration x64,slow_path_opt

Comment 3 by machenb...@chromium.org, Apr 9 2018

Mergedinto: 823069
Status: Duplicate (was: Assigned)
Project Member

Comment 4 by ClusterFuzz, Apr 11 2018 

ClusterFuzz has detected this issue as fixed in range 52507:52508.

Detailed report: https://clusterfuzz.com/testcase?key=4714606447296512

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,slow_path_opt
  sources: dee
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50381:50382
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=52507:52508

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4714606447296512

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment