ho->GetHeap()->Contains(ho) in src/objects-debug.cc |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5361874522079232 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: ho->GetHeap()->Contains(ho) in src/objects-debug.cc Regressed: V8: r34557:34558 Minimized Testcase (0.21 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95fqALOXin2wL6N-60c2RV4tAb8uf_ic3PW58n-7GR6yaS7ccWvyGseOKm5E-6KAKzz1hDIg-qofn6TR2sDN873MogBxdD76IDcsbm6zcHvaNOUGgvp54OxGUIyk1DcWkW1YTIrxcIV0Nhm7IRRocUYrCLneA var __v_7 = undefined; __v_3 = [1,2,3]; __v_3[0xfffffffe] = 10; function __f_3() { for (var __v_6 in __v_3) { } } for (var __v_4 = 0; __v_4 < 10000; __v_4++) { __v_3[__v_4] = (__v_4 * 999) % 77; } __f_3(); Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 16 2016
// Cleaner repro
// Flags: --verify-heap --gc-interval=500 --allow-natives-syntax
array = [];
// Does not yet trigger with 8192!
for (var i = 0; i < 8193; i++) {
array[i] = 1;
}
// Int-index in precise double range.
array[0xfffffffe] = 1;
// runtime-forin.cc:34 is a valid fixed-array with keys
for (var k in array) { }
,
Mar 16 2016
mlippautz@ did an awesome job hunting down the issue: we should not sort the intermediate keys-array containing HeapNumber elements with std:sort in elements.cc
,
Mar 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/cda9a79931c34cec28f8ac1506c98edcee683908 commit cda9a79931c34cec28f8ac1506c98edcee683908 Author: cbruni <cbruni@chromium.org> Date: Fri Mar 18 12:42:53 2016 [elements] Fix sorting dictionary element keys Using std::sort on a FixedArray with HeapNumbers is not very GC friendly. Adding a separate step to properly record possible HeapNumbers. BUG= chromium:594954 LOG=N Review URL: https://codereview.chromium.org/1807173002 Cr-Commit-Position: refs/heads/master@{#34888} [modify] https://crrev.com/cda9a79931c34cec28f8ac1506c98edcee683908/src/elements.cc
,
Mar 19 2016
ClusterFuzz has detected this issue as fixed in range 34887:34888. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5361874522079232 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: ho->GetHeap()->Contains(ho) in src/objects-debug.cc Regressed: V8: r34557:34558 Fixed: V8: r34887:34888 Minimized Testcase (0.21 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95fqALOXin2wL6N-60c2RV4tAb8uf_ic3PW58n-7GR6yaS7ccWvyGseOKm5E-6KAKzz1hDIg-qofn6TR2sDN873MogBxdD76IDcsbm6zcHvaNOUGgvp54OxGUIyk1DcWkW1YTIrxcIV0Nhm7IRRocUYrCLneA var __v_7 = undefined; __v_3 = [1,2,3]; __v_3[0xfffffffe] = 10; function __f_3() { for (var __v_6 in __v_3) { } } for (var __v_4 = 0; __v_4 < 10000; __v_4++) { __v_3[__v_4] = (__v_4 * 999) % 77; } __f_3(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 20 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by habl...@google.com
, Mar 15 2016Status: Assigned (was: Available)