V8 correctness failure in configs: x64,ignition:x64,trusted |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6313917731831808 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,trusted sources: 621 Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=53047:53048 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6313917731831808 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
May 9 2018
Simple repro:
var v = -1073741825;
function foo() { return Math.floor(-v / 125); }
foo();
%OptimizeFunctionOnNextCall(foo);
print(foo());
,
May 9 2018
My CL just flushed an older bug in Math.floor typing. Fix is coming soon.
,
May 9 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/d520ebb9a85b73b2a6505e133a7cc940c7d2adbd commit d520ebb9a85b73b2a6505e133a7cc940c7d2adbd Author: Jaroslav Sevcik <jarin@chromium.org> Date: Wed May 09 07:32:46 2018 [turbofan] Fix NumberFloor typing. Bug: chromium:841117 Change-Id: I1e83dfc82f87d0b49d3cca96290ae1d738e37d20 Reviewed-on: https://chromium-review.googlesource.com/1051228 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#53083} [modify] https://crrev.com/d520ebb9a85b73b2a6505e133a7cc940c7d2adbd/src/compiler/typed-optimization.cc [add] https://crrev.com/d520ebb9a85b73b2a6505e133a7cc940c7d2adbd/test/mjsunit/compiler/regress-841117.js
,
May 9 2018
,
May 10 2018
ClusterFuzz has detected this issue as fixed in range 53082:53083. Detailed report: https://clusterfuzz.com/testcase?key=6313917731831808 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,trusted sources: 621 Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=53047:53048 Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=53082:53083 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6313917731831808 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 10 2018
ClusterFuzz testcase 6313917731831808 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, May 9 2018Owner: jarin@chromium.org
Status: Assigned (was: Untriaged)