RUNTIME_ASSERT in args[0]->IsJSFunction() in src/runtime/runtime-test.cc |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6659559338278912 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: RUNTIME_ASSERT Crash Address: Crash State: args[0]->IsJSFunction() in src/runtime/runtime-test.cc Regressed: V8: r34400:34401 Minimized Testcase (8.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97UxTRPyflflfrfxyKgw2-c_IIC97aWAzL45z6DF-0ezxEOs5p95yfy_4zrBouIbCbaGO0ns_LsWqFeghQau58ImCknRvJR3P505Lcc7Sm_h8ZdJmQVwE9ZhzrehA6XaCPO0GNhatijd7Q__jcFJ0w6ktNPcg Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 4 2016
This is similar to issue 596719. It seems that this test managed to pass through the arguments check for %OptimizeFunctionOnNextCall(): In the test we have %OptimizeFunctionOnNextCall(__f_1.prototype.foo); and "__f_1.prototype.foo" WILL be a function a couple of lines later but not yet.
,
Apr 6 2016
The fuzzer will now only keep the call if the argument is known to be a function.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by ishell@chromium.org
, Apr 4 2016Status: Assigned (was: Available)