New issue
Advanced search Search tips

Issue 899538 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Nov 7
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

V8 correctness failure in configs: x64,ignition:x64,slow_path

Project Member Reported by ClusterFuzz, Oct 28

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6223593619587072

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,slow_path
  sources: 265
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=56368:56369

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6223593619587072

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Oct 28

Labels: Test-Predator-Auto-Owner
Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/513a5bdd040815422ce74536f3415701af8a0ec4 ([turbofan] Fix Word32 (Signed32OrMinusZero) conversions that identify zeros.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Components: -Blink>JavaScript Blink>JavaScript>Compiler
Labels: OS-Android OS-Chrome OS-Mac OS-Windows
Status: Started (was: Assigned)
Doesn't seem to related to NumberModules (interestingly). Simplified test case:

```js
// Flags: --allow-natives-syntax

function foo(x) {
  return (x >>> 2147483648) + -6;
}

assertEquals(-6, foo(0));
assertEquals(-6, foo(0));
%OptimizeFunctionOnNextCall(foo);
assertEquals(4294967283, foo(-7));
```
Cc: bmeu...@chromium.org
 Issue 899555  has been merged into this issue.
Labels: -Pri-1 Pri-2
Owner: jarin@chromium.org
Status: Assigned (was: Started)
This requires some expertise from jarin@, seems to be flushing out some issue in how we have the SpeculativeSafeIntegerAdd, since we incorrectly eliminate the overflow check on that one (generating just a `subl rax,6` here). Let's look into this together when you're back.
 Issue 899749  has been merged into this issue.
Project Member

Comment 7 by ClusterFuzz, Nov 7

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5135891809697792 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 8 by ClusterFuzz, Nov 7

ClusterFuzz has detected this issue as fixed in range 57284:57285.

Detailed report: https://clusterfuzz.com/testcase?key=6223593619587072

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,slow_path
  sources: 265
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=56368:56369
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=57284:57285

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6223593619587072

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment