(this->elements()->length())>=(2) in src/objects-debug.cc |
||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4786585186336768 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: (this->elements()->length())>=(2) in src/objects-debug.cc Regressed: V8: r35299:35300 Minimized Testcase (6.15 Kb): https://cluster-fuzz.appspot.com/download/AMIfv960DVvIJsqqtNIOZDYiN6f4w_Ff8srQKq_AtnhQQ5hVyI_FT8c0fag-GIwpoTGAE6HB9H-nEELIMrHvptWkf125P6v8WvIwDZgr6NVdHVE-3ZSqx4yjFECHsepRGe0az1UQZE2cYeFRgdsVIPeuCcuCuCFpZg Filer: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 7 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5045679491121152 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !IsSloppyArgumentsElements(kind) || (elements()->IsFixedArray() && elements()->l Regressed: V8: r35299:35300 Minimized Testcase (10.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ApuWaHs0w-o0VoiWahCr2_3AmRQ2p7FnvgS1r-aVFD-AYorFp9q6dSOIa37UfVsmP7aHrs0Js3zw0jmGLCm-u-NJX9ds-Ab8StPtXmawm0YecnEi0JlnnqgyyjpYxrY7jKVeJDcA90KpUfTmdRbQWhf2Tcg Filer: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 7 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6570530588590080 Fuzzer: stgao_chromebot2 Job Type: linux_asan_chrome_v8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: (this->elements()->length())>=(2) in v8/src/objects-debug.cc v8::internal::Object::SetPropertyInternal v8::internal::Object::SetProperty v8::internal::StoreIC::Store Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95oysLulew07x_K6seMT_0tIQtLtcoqGjeQvrRff1WvAvT-PN9zKhs2WQIiDc3Xdglb1qIzKVVLVpE0hz-Mq3At1Zy1TqVS2XgkyqvEfxcv4zPC2aSE8-LRXrbTKuktvAjraExbiBSH5WQezNcwfLYSPtIpJaYNNrSck7fG483Azg7aeQ8 Filer: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 7 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6336015576334336 Fuzzer: stgao_chromebot2 Job Type: linux_asan_chrome_v8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: (this->elements()->length())>=(2) in v8/src/objects-debug.cc <unknown> v8::base::OS::Abort V8_Fatal Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94mPQ9NIsoPlXWcjYi_1O5_g626NSHuYutsvOq45NHaqn49TxfRybSFlXfDl9o8Wm0kNyaIxTmUXwhi0Q06LzzzgClaegDbeo6BKO3_eQ1BOPKpz8PoFM0GEoqUIimBHzgMoeo4yqE5n9Adwk03YnYYCG4TYcuYlcwQm-A9hceOiH2U8EY Filer: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 7 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4629546552262656 Fuzzer: decoder_langfuzz Job Type: linux_asan_chrome_v8_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: (this->elements()->length())>=(2) in v8/src/objects-debug.cc Regressed: V8: r35280:35309 Minimized Testcase (7.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95U6dIZIxyQackUJ3rga_1Iu36a9L2TWccANJY51gZ3cbw13lNiqszt-y3jg6aprFsFxvLHG7aMvrd-U3EaKjwlJ-catrnnIiACGIpu-tGIPh6Zd0fjfCypFRNzAipKmmHzXAYyNRSJqUUH4mEfOlDx7FDxXw Filer: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 8 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/ad1784e5c68b14ff0400b7221ce55d1478066013 commit ad1784e5c68b14ff0400b7221ce55d1478066013 Author: cbruni <cbruni@chromium.org> Date: Fri Apr 08 08:02:26 2016 [elements] revert overzealous optimzation for fast sloppy arguments delete BUG= chromium:601390 LOG=n Review URL: https://codereview.chromium.org/1865343002 Cr-Commit-Position: refs/heads/master@{#35345} [modify] https://crrev.com/ad1784e5c68b14ff0400b7221ce55d1478066013/src/elements.cc [modify] https://crrev.com/ad1784e5c68b14ff0400b7221ce55d1478066013/test/mjsunit/arguments.js
,
Apr 8 2016
ClusterFuzz has detected this issue as fixed in range 35344:35345. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5045679491121152 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !IsSloppyArgumentsElements(kind) || (elements()->IsFixedArray() && elements()->l Regressed: V8: r35299:35300 Fixed: V8: r35344:35345 Minimized Testcase (10.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ApuWaHs0w-o0VoiWahCr2_3AmRQ2p7FnvgS1r-aVFD-AYorFp9q6dSOIa37UfVsmP7aHrs0Js3zw0jmGLCm-u-NJX9ds-Ab8StPtXmawm0YecnEi0JlnnqgyyjpYxrY7jKVeJDcA90KpUfTmdRbQWhf2Tcg See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 8 2016
ClusterFuzz has detected this issue as fixed in range 35344:35345. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4786585186336768 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: (this->elements()->length())>=(2) in src/objects-debug.cc Regressed: V8: r35299:35300 Fixed: V8: r35344:35345 Minimized Testcase (6.15 Kb): https://cluster-fuzz.appspot.com/download/AMIfv960DVvIJsqqtNIOZDYiN6f4w_Ff8srQKq_AtnhQQ5hVyI_FT8c0fag-GIwpoTGAE6HB9H-nEELIMrHvptWkf125P6v8WvIwDZgr6NVdHVE-3ZSqx4yjFECHsepRGe0az1UQZE2cYeFRgdsVIPeuCcuCuCFpZg See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 8 2016
,
Apr 8 2016
ClusterFuzz has detected this issue as fixed in range 35342:35348. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4629546552262656 Fuzzer: decoder_langfuzz Job Type: linux_asan_chrome_v8_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: (this->elements()->length())>=(2) in v8/src/objects-debug.cc Regressed: V8: r35280:35309 Fixed: V8: r35342:35348 Minimized Testcase (7.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95U6dIZIxyQackUJ3rga_1Iu36a9L2TWccANJY51gZ3cbw13lNiqszt-y3jg6aprFsFxvLHG7aMvrd-U3EaKjwlJ-catrnnIiACGIpu-tGIPh6Zd0fjfCypFRNzAipKmmHzXAYyNRSJqUUH4mEfOlDx7FDxXw See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 9 2016
Your change meets the bar and is auto-approved for M51 (branch: 2704)
,
Apr 11 2016
Issue 601864 has been merged into this issue.
,
Apr 12 2016
Issue 602514 has been merged into this issue.
,
Apr 12 2016
Issue 602349 has been merged into this issue.
,
Apr 12 2016
Users experienced this crash on the following builds: Win Canary 52.0.2705.0 - 7.34 CPM, 91 reports, 41 clients (signature v8::internal::`anonymous namespace'::ElementsAccessorBase<v8::internal::`anonymous namespace'::FastSloppyArgumentsElementsAccessor,v8::internal::A0x09cb10c2::ElementsKindTraits<7> >::GetEntryForIndex) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Apr 12 2016
Users experienced this crash on the following builds: Win Canary 52.0.2705.0 - 22.09 CPM, 274 reports, 126 clients (signature v8::internal::`anonymous namespace'::SloppyArgumentsElementsAccessor<v8::internal::`anonymous namespace'::FastSloppyArgumentsElementsAccessor,v8::internal::A0x98f9cc56::FastHoleyObjectElementsAccessor,v8::internal::A0x98f9cc56::ElementsKindTraits<7> >::GetEntryForIndexImpl) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Apr 12 2016
Hi cbruni, Chrome stability sheriff here, quick question: If there's a patch for this April 8 (Comment 6), do you know why this is still crashing in 52.0.2705.0 which you deduped from Issue 602349? I think that canary was released April 11.
,
Apr 12 2016
chrome 52.0.2705.0 still uses v8 version 5.1.294.3 from 2016-04-08 12:47: https://chromium.googlesource.com/v8/v8/+log/1eed63095df9422c5633d215bd73792695a3e377 my fix only happened after the branch cut (see https://chromium.googlesource.com/v8/v8/+log/ad1784e5c68b14ff0400b7221ce55d1478066013).
,
Apr 12 2016
Please merge your change to M51 branch 2704 before 5:00 PM PST tomorrow (Wednesday), so we can take it in for M51 Thursday's dev push.
,
Apr 13 2016
Jakob: Camillo indicates that you're going to take care of the merge, since he is OOO?
,
Apr 13 2016
I don't believe this needs merging. It's a follow-up fix to 604f5be5f7325ea1af817868695436b803969e8b which was landed a day *after* V8's 5.1 branch point.
,
Apr 13 2016
If M51 merge is NOT needed, please remove "Merge-Approved-51" label. Thank you.
,
Apr 14 2016
Removing label per request in #22. Camillo, when you have time, please confirm that there's nothing left to do here (and mark as Fixed if so).
,
Apr 14 2016
,
Apr 15 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by ishell@chromium.org
, Apr 7 2016Status: Assigned (was: Available)