New issue
Advanced search Search tips

Issue 905970 link

Starred by 2 users
Status: Verified
Owner:
mvstan...@chromium.org
Closed: Dec 11
Cc:
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

V8 correctness failure in configs: x64,ignition:arm,ignition

Project Member Reported by ClusterFuzz, Nov 16 
Detailed report: https://clusterfuzz.com/testcase?key=4818706422824960

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:arm,ignition
  sources: 8ef
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=56533:56534

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4818706422824960

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Nov 16

Labels: Test-Predator-Auto-Owner
Owner: mvstan...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/696b2ceddd38afbff8776895cf9aadeea960d84f ([Builtins] Array.prototype.splice performance improvements).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 2 by machenb...@chromium.org, Nov 16

Cc: mstarzinger@chromium.org
+sheriff

Comment 3 by machenb...@chromium.org, Nov 16 

Note the run of the arm sim binary also got an additional flag --stress-marking=100 passed. Not sure if that makes the difference here.

Comment 4 by mstarzinger@chromium.org, Nov 16 

None of the flags are needed. It could be the difference between 32bit and 64bit architectures, because I observe the same difference between x64 and ia32 as well. Here is a reduced repro ...

mstarzinger@hopkinson:~$ cat ~/Downloads/clusterfuzz-testcase-minimized-4818706422824960-mod.js
var a = [];
a.splice(0, 0, 0x40000000);
console.log(a.hasOwnProperty(1));
mstarzinger@hopkinson:~$ ~/Development/v8.git/out/x64.debug/d8 ~/Downloads/clusterfuzz-testcase-minimized-4818706422824960-mod.js
false
mstarzinger@hopkinson:~$ ~/Development/v8.git/out/arm.debug/d8 ~/Downloads/clusterfuzz-testcase-minimized-4818706422824960-mod.js
true
Project Member

Comment 5 by ClusterFuzz, Dec 11 

ClusterFuzz has detected this issue as fixed in range 58156:58157.

Detailed report: https://clusterfuzz.com/testcase?key=4818706422824960

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:arm,ignition
  sources: 8ef
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=56533:56534
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=58156:58157

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4818706422824960

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Dec 11

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4818706422824960 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment