New issue
Advanced search Search tips

Issue 917076 link

Starred by 3 users
Status: Verified
Owner:
bmeu...@chromium.org
Closed: Jan 7
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

V8 correctness failure in configs: x64,ignition:x64,slow_path

Project Member Reported by ClusterFuzz, Dec 20 
Detailed report: https://clusterfuzz.com/testcase?key=4815987024855040

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,slow_path
  sources: 8f0
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=56857:56858

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4815987024855040

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
Project Member

Comment 1 by ClusterFuzz, Dec 20

Labels: Test-Predator-Auto-Owner
Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/50f713c9a2053541e2915a74c37f9e2f8ce28348 ([promises] Add fast-path for native promises to Promise.all.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 2 by bmeu...@chromium.org, Jan 7

Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Jan 7 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b6bcf3210a1b91a1f8029b9f3c9e5dd8e84b5cb7

commit b6bcf3210a1b91a1f8029b9f3c9e5dd8e84b5cb7
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Mon Jan 07 08:22:56 2019

[async] The Promise.all() fast-path must check @@species protector.

We cannot take the fast-path if the user messed with the Symbol.species
property on the Promise.prototype, as that makes the internal promises
observable.

Bug:  chromium:917076 
Change-Id: I928e0bd17836ca78cf88591610526aa7bc1d293c
Reviewed-on: https://chromium-review.googlesource.com/c/1396426
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58563}
[modify] https://crrev.com/b6bcf3210a1b91a1f8029b9f3c9e5dd8e84b5cb7/src/builtins/builtins-promise-gen.cc
[add] https://crrev.com/b6bcf3210a1b91a1f8029b9f3c9e5dd8e84b5cb7/test/mjsunit/regress/regress-crbug-917076.js
Project Member

Comment 4 by ClusterFuzz, Jan 7 

ClusterFuzz has detected this issue as fixed in range 58562:58563.

Detailed report: https://clusterfuzz.com/testcase?key=4815987024855040

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,slow_path
  sources: 8f0
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=56857:56858
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=58562:58563

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4815987024855040

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Jan 7

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 4815987024855040 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment