New issue
Advanced search Search tips

Issue 903043 link

Starred by 3 users

Issue metadata

Status: Verified
Owner:
Closed: Nov 9
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

V8 correctness failure in configs: x64,ignition:x64,ignition_turbo

Project Member Reported by ClusterFuzz, Nov 8

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6059329424457728

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: 927
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=51538:51539

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6059329424457728

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Nov 8

Labels: Test-Predator-Auto-Owner
Owner: machenb...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/03f203bdf35aff0da84f702b27a6ebb702e29cc8 ([foozzie] Fix Date proxy mocking).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Cc: ishell@chromium.org jarin@chromium.org sigurds@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>Compiler
Owner: ----
Status: Available (was: Assigned)
// Reduced repro:
function __f_3(x) {
  return 1e-1 * x;
}
function __f_2() {
  return Object.is(-0, __f_3(-1e-308));
}
__f_2();
%OptimizeFunctionOnNextCall(__f_2);
print(__f_2());


# Compared x64,ignition with x64,ignition_turbo
#
# Difference:
- false
+ true

Looks like this is something for compiler folks.

Clusterfuzz bisect is still pending the automatic minimization.
Owner: bmeu...@chromium.org
Status: Assigned (was: Available)
The division to check for minus zero in TurboFan is wrong for these edge cases.
Project Member

Comment 4 by bugdroid1@chromium.org, Nov 9

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/56f6a763c27d77afbee997a50baa34996e97ba40

commit 56f6a763c27d77afbee997a50baa34996e97ba40
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Fri Nov 09 12:04:30 2018

[turbofan] Fix -0 check for subnormals.

Previously we'd check `x` for -0 by testing `(1.0 / x) == -Infinity`,
but this will yield the wrong results when `x` is a subnormal, i.e.
really close to 0.

In CSA we already perform bit checks to test for -0, so teach TurboFan
to do the same for comparisons to -0 (via `Object.is`). We introduce a
new NumberIsMinusZero simplified operator to handle the case where
SimplifiedLowering already knows that the input is a number.

Bug:  chromium:903043 ,  v8:6882 
Change-Id: I0cb7c568029b461a92fc183104d5f359b4bfe7f4
Reviewed-on: https://chromium-review.googlesource.com/c/1328802
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57382}
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/effect-control-linearizer.h
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/opcodes.h
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/simplified-operator.cc
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/simplified-operator.h
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/typer.cc
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/verifier.cc
[add] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/test/mjsunit/regress/regress-crbug-903043.js

Status: Fixed (was: Assigned)
Project Member

Comment 6 by ClusterFuzz, Nov 10

ClusterFuzz has detected this issue as fixed in range 57381:57382.

Detailed report: https://clusterfuzz.com/testcase?key=6059329424457728

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: 927
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=51538:51539
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=57381:57382

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6059329424457728

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Nov 10

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6059329424457728 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment