Crash in v8::internal::FixedArray::get |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4851095544791040 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_chrome_v8_d8 Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000027 Crash State: v8::internal::FixedArray::get v8::internal::Isolate::native_context v8::internal::Isolate::initial_array_prototype Regressed: V8: r35065:35144 Minimized Testcase (0.08 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96_pi6qwe8HyAtUNncU0wQMm2MkTVy-wfA-8mxzkgnl7TQRP3sm3EdTfaKH0AOeA7zyk-pO-sMNaO-Q1BD1PY0gTTiTx8PwC6FK6iUT_si6gLdvY63E-7vpwX99lnKSxfad0nJ7Mafx__gklpGRqk0m8hifzQ __v_2 = []; __v_2[Math.pow(2,31)-1] = 0; __v_2.push(function () { return __v_5; }); Filer: manoranjanr See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 1 2016
V8 changelog from the above detailed report: ============================================= https://chromium.googlesource.com/v8/v8/+log/25d2b2477180ce29467b16408e25a5752592944b..046414169a96b4b5580cecef92908c660c470aaa?pretty=fuller neis@: Could you please take a look or help in investigating this further as seeing prototype chain related change(https://codereview.chromium.org/1842563004) in the above regression range.
,
Apr 1 2016
ClusterFuzz has detected this issue as fixed in range 35144:35169. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4851095544791040 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_chrome_v8_d8 Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000027 Crash State: v8::internal::FixedArray::get v8::internal::Isolate::native_context v8::internal::Isolate::initial_array_prototype Regressed: V8: r35065:35144 Fixed: V8: r35144:35169 Minimized Testcase (0.08 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96_pi6qwe8HyAtUNncU0wQMm2MkTVy-wfA-8mxzkgnl7TQRP3sm3EdTfaKH0AOeA7zyk-pO-sMNaO-Q1BD1PY0gTTiTx8PwC6FK6iUT_si6gLdvY63E-7vpwX99lnKSxfad0nJ7Mafx__gklpGRqk0m8hifzQ __v_2 = []; __v_2[Math.pow(2,31)-1] = 0; __v_2.push(function () { return __v_5; }); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 1 2016
This was unrelated to my change but got fixed in the meantime.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by manoranj...@chromium.org
, Mar 31 2016