heap()->mark_compact_collector()->is_compacting() || Capacity() <= heap()->MaxOl |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5677624889704448 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: heap()->mark_compact_collector()->is_compacting() || Capacity() <= heap()->MaxOl Regressed: V8: r35094:35095 Minimized Testcase (3.14 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95DoLGKQr6x30IUCAjc4S7xhtIrLa5THzWHQE1uVNZUN2XhWIJ7r9gndoS705ktQ5RlouTheQWoi5jTXpsXlbZAcP3htdcUQ_3wKLwTSGg3twLaGxieQmXiNO9TSyYnQ0n9mmuEik03kn9SUjFjthjjA80OtA Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 4 2016
This reproduces with the revision in the regression range. On tip-of-tree it already reports a proper OOM (as it should). Chances are, this has been fixed along the way already. Hannes, feel free to close if this is not longer actionable or has been fixed already. Reprodcues as follows ... $ git checkout 000d33896771f56a6cb2b25fb432faae57a88dc9 $ make -j1000 x64.debug $ ./out/x64.debug/d8 --random-seed=769205728 --expose-gc --enable-slow-asserts --verify-heap --invoke-weak-callbacks --omit-quit --ignition --gc-interval=421 --max-old-space-size=60 ~/Downloads/fuzz-00428.js
,
Apr 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/d16c3825fbd91997552b1c9251ec5a436fe80e8a commit d16c3825fbd91997552b1c9251ec5a436fe80e8a Author: hpayer <hpayer@chromium.org> Date: Wed Apr 06 11:52:22 2016 [heap] Old generation limit is based on capacity. BUG= chromium:600258 LOG=n Review URL: https://codereview.chromium.org/1864433003 Cr-Commit-Position: refs/heads/master@{#35296} [modify] https://crrev.com/d16c3825fbd91997552b1c9251ec5a436fe80e8a/src/heap/heap.cc [modify] https://crrev.com/d16c3825fbd91997552b1c9251ec5a436fe80e8a/src/heap/heap.h [modify] https://crrev.com/d16c3825fbd91997552b1c9251ec5a436fe80e8a/src/heap/spaces.cc [modify] https://crrev.com/d16c3825fbd91997552b1c9251ec5a436fe80e8a/test/cctest/heap/test-heap.cc
,
Apr 6 2016
ClusterFuzz has detected this issue as fixed in range 35264:35265. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5677624889704448 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: heap()->mark_compact_collector()->is_compacting() || Capacity() <= heap()->MaxOl Regressed: V8: r35094:35095 Fixed: V8: r35264:35265 Minimized Testcase (3.14 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95DoLGKQr6x30IUCAjc4S7xhtIrLa5THzWHQE1uVNZUN2XhWIJ7r9gndoS705ktQ5RlouTheQWoi5jTXpsXlbZAcP3htdcUQ_3wKLwTSGg3twLaGxieQmXiNO9TSyYnQ0n9mmuEik03kn9SUjFjthjjA80OtA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 7 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by hablich@chromium.org
, Apr 4 2016