RUNTIME_ASSERT in args[0]->IsJSObject() in src/runtime/runtime-internal.cc |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6658500058415104 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: RUNTIME_ASSERT Crash Address: Crash State: args[0]->IsJSObject() in src/runtime/runtime-internal.cc Minimized Testcase (0.23 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv9667EmnQRh-fQH5_3gxMEj2RpJcr1qEPmyw4FGT_BnlVmKLKFUyef2nagPE1rqqcw_CPx06JZpu9Vqu8oYK8CdSHxveEp9bYNmV80MMC04wBOC62WU6UCj_iobngc7jOPRFo_GdASyUUQBHv80ab2WYgiXEvg try { __v_2 = {}; __v_3 = new Proxy({}, __v_2); } catch(e) {; } function __f_4() { } function __f_34() { } __v_7 = { valueOf: function() { FAIL; }, toString: function() { FAIL; } }; Error.captureStackTrace(__v_3); Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 30 2016
Bulk edit to remove recently filed RUNTIME_ASSERT bugs from the security triage queue.
,
Mar 31 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6658500058415104 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: RUNTIME_ASSERT Crash Address: Crash State: args[0]->IsJSObject() in src/runtime/runtime-internal.cc Minimized Testcase (0.23 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv9667EmnQRh-fQH5_3gxMEj2RpJcr1qEPmyw4FGT_BnlVmKLKFUyef2nagPE1rqqcw_CPx06JZpu9Vqu8oYK8CdSHxveEp9bYNmV80MMC04wBOC62WU6UCj_iobngc7jOPRFo_GdASyUUQBHv80ab2WYgiXEvg try { __v_2 = {}; __v_3 = new Proxy({}, __v_2); } catch(e) {; } function __f_4() { } function __f_34() { } __v_7 = { valueOf: function() { FAIL; }, toString: function() { FAIL; } }; Error.captureStackTrace(__v_3); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 1 2016
,
Apr 4 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/c7ff5766cf9eb1b819029783fd7543c665f2a700 commit c7ff5766cf9eb1b819029783fd7543c665f2a700 Author: ishell <ishell@chromium.org> Date: Mon Apr 04 08:35:12 2016 Display a meaningfull error message when trying to capture a stack trace to a proxy. ... instead of RUNTIME_ASSERT pointing to V8 guts. BUG= chromium:599067 LOG=N Review URL: https://codereview.chromium.org/1844223004 Cr-Commit-Position: refs/heads/master@{#35227} [modify] https://crrev.com/c7ff5766cf9eb1b819029783fd7543c665f2a700/src/isolate.cc [modify] https://crrev.com/c7ff5766cf9eb1b819029783fd7543c665f2a700/src/isolate.h [modify] https://crrev.com/c7ff5766cf9eb1b819029783fd7543c665f2a700/src/runtime/runtime-internal.cc [add] https://crrev.com/c7ff5766cf9eb1b819029783fd7543c665f2a700/test/mjsunit/regress/regress-crbug-599067.js
,
Apr 4 2016
,
Apr 4 2016
Issue 600256 has been merged into this issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by sheriffbot@chromium.org
, Mar 30 2016