result_len <= FixedDoubleArray::kMaxLength in src/elements.cc |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6356890476347392 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: result_len <= FixedDoubleArray::kMaxLength in src/elements.cc Minimized Testcase (5.67 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97-RqC_DX9LSJ_oCJxPiAEPfPzrihgL4OVOxIv7iuX9l2_-BlRnNiq0fzYoHhFl-PVmBBvvTAgP1zcjI1PbtQSaDca6EBJW7ELlYlykUVWKisAu7DMTgprsrtS8LkL8vPDQKHLookUobyq3GzFOwHGfzQ7ABg Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 5 2016
This is the reduced repro ...
var a = [function() {}, function() {}];
for (;;) { a = a.concat(a); }
Reproduces as follows ...
$ git checkout da477bc7e284f2eb07f9f79a5214525c482d3c55
$ make -j1000 x64.debug
$ out/x64.debug/d8 --random-seed=-109433610 --invoke-weak-callbacks --omit-quit test/mjsunit/foo.js
#
# Fatal error in ../src/elements.cc, line 3000
# Check failed: result_len <= FixedDoubleArray::kMaxLength.
#
==== C stack trace ===============================
1: V8_Fatal
2: v8::internal::ElementsAccessor::Concat(v8::internal::Isolate*, v8::internal::Arguments*, unsigned int)
3: 0xd5b0c8
4: 0xd5abd7
5: 0xd41fa6
6: 0xb6070e092a7
Illegal instruction (core dumped)
,
Apr 5 2016
,
Apr 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/823224f3ee7959dc4731191439dcef2bcb16a043 commit 823224f3ee7959dc4731191439dcef2bcb16a043 Author: cbruni <cbruni@chromium.org> Date: Tue Apr 05 15:35:08 2016 [elements] Fix length bounds precheck for Array.prototype.concat BUG= chromium:599414 LOG=n Review URL: https://codereview.chromium.org/1863553003 Cr-Commit-Position: refs/heads/master@{#35269} [modify] https://crrev.com/823224f3ee7959dc4731191439dcef2bcb16a043/src/builtins.cc [modify] https://crrev.com/823224f3ee7959dc4731191439dcef2bcb16a043/src/elements.cc [add] https://crrev.com/823224f3ee7959dc4731191439dcef2bcb16a043/test/mjsunit/regress/regress-599414-array-concat-fast-path.js
,
Apr 6 2016
ClusterFuzz has detected this issue as fixed in range 35268:35269. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6356890476347392 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: result_len <= FixedDoubleArray::kMaxLength in src/elements.cc Fixed: V8: r35268:35269 Minimized Testcase (5.67 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97-RqC_DX9LSJ_oCJxPiAEPfPzrihgL4OVOxIv7iuX9l2_-BlRnNiq0fzYoHhFl-PVmBBvvTAgP1zcjI1PbtQSaDca6EBJW7ELlYlykUVWKisAu7DMTgprsrtS8LkL8vPDQKHLookUobyq3GzFOwHGfzQ7ABg See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 6 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mstarzinger@chromium.org
, Apr 5 2016Owner: mstarzinger@chromium.org
Status: Assigned (was: Available)