google
MSAN build of v8 in CF is producing cycles leading to spurious crashes
@mi-ac For example https://clusterfuzz.com/testcase-detail/5579629090504704
This is from https://crbug.com/v8/10577 and is a known flaw in V8's contradictory flags checker. Is is not limited to MSAN but affects all V8 configs.
There's a certain amount of flags that ochang_js_fuzzer picks from random test cases and we can't prevent some incompatible ones being used. At least there's no logic for that yet. We can prevent picking the flags for trials, by adding contradictions to https://source.chromium.org/chromium/chromium/src/+/main:v8/tools/clusterfuzz/trials/clusterfuzz_trials_config.json
The cycle from the example above is already tracked in this config: --assert-types -> --no-concurrent-recompilation --stress-concurrent-inlining -> --concurrent-recompilation
Hence, that one's from ochang_js_fuzzer flag selection. We could probably change that fuzzer, but there are some other flag-choosing fuzzers, like mbarbella_js_mutation and I wouldn't wanna change all their code. I'll keep thinking.
A problem of the work-around process: The test case above will stay forever, even if we create smart configs to not choose the flags --assert-types and --stress-concurrent-inlining, because in this case they were already chosen. Other incompatible flags, however, won't ever be shown, because their cases will just dedupe on the existing case due to the same stack trace.
hmm...not sure what to do here. I suppose this isnt a huge problem.
I'm trying this on the V8 side for one of the fuzzers: https://chromium-review.googlesource.com/c/v8/v8/+/5250109