Issue metadata
Sign in to add a comment
|
Crash in v8::internal::Map::TransitionToDataProperty |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6475540860502016 Fuzzer: ochang_domfuzzer Job Type: windows_asan_content_shell Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x00000000 Crash State: v8::internal::Map::TransitionToDataProperty v8::internal::LookupIterator::PrepareTransitionToDataProperty v8::internal::Object::AddDataProperty Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_content_shell&range=379564:379959 Minimized Testcase (3.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9676elJ0bh_b4o7dBZwnHfhJcP4Hq123sprO1mVdegrPldqUT--EXNes4zeRk5yIIcGwXJW_snNpQh0XEPlgN2qKVAb7cuRwLtTIuMQVisHkGHrRNwgrHN3tGZO575v4nIsyNqTihlZSb6w40q7-8_TqimUMw Filer: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 7 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5594892564168704 Fuzzer: inferno_layout_test_unmodified Job Type: windows_asan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000000 Crash State: v8::internal::Map::TransitionToDataProperty v8::internal::LookupIterator::PrepareTransitionToDataProperty v8::internal::Object::AddDataProperty Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_content_shell&range=379564:379959 Minimized Testcase (0.82 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97Q5ZRZVtfH2Z6mlpVhORtmV6zM7On6aQJ_-I2wSSwBplG-kqzpcXFPc3RoJgJzWfmzBFYgOXzzwByqB8-H1I05r_AmsbPv-9uF2pVSBQOoDOVAXipjfGfMmZhr3C3tSZDk5EFsuq3UgRGrelvrc-1Vcscypw <script src="../../resources/testharnessreport.js"></script> <script id="scriptid"> var dbname = 'db-' + String(); var open = indexedDB.open(dbname); open.onupgradeneeded = function() { var db = open.result; var store = db.createObjectStore('store'); }; open.onsuccess = function() { db = open.result; var tx = db.transaction('store'); var req = tx.objectStore('store').get(0); req.onsuccess = function() { frameElement.parentNode.removeChild(frameElement); var result = req.result; }; }; var script = document.querySelector('#scriptid').textContent; var blob = new Blob(['<script>', script, '<\/script>'], {'type': 'text/html'}); var iframe = document.createElement('iframe'); document.documentElement.appendChild(iframe); iframe.src = URL.createObjectURL(blob); </script> Filer: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 7 2016
,
Apr 7 2016
Reproduces on r379959 with a sample from c#2. Crashes inside setHiddenValue() https://code.google.com/p/chromium/codesearch#chromium/src/out/Debug/gen/blink/bindings/modules/v8/V8IDBRequest.cpp&l=60 because |v8Value| is an empty handle. Kentaro, please find the right owner.
,
Apr 7 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6475540860502016 Fuzzer: ochang_domfuzzer Job Type: windows_asan_content_shell Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x00000000 Crash State: v8::internal::Map::TransitionToDataProperty v8::internal::LookupIterator::PrepareTransitionToDataProperty v8::internal::Object::AddDataProperty Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_content_shell&range=379564:379959 Minimized Testcase (3.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9676elJ0bh_b4o7dBZwnHfhJcP4Hq123sprO1mVdegrPldqUT--EXNes4zeRk5yIIcGwXJW_snNpQh0XEPlgN2qKVAb7cuRwLtTIuMQVisHkGHrRNwgrHN3tGZO575v4nIsyNqTihlZSb6w40q7-8_TqimUMw See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 8 2016
ishell@: If |v8Value| is an empty value, setHiddenValue() just immediately returns, doesn't it? https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/bindings/core/v8/V8HiddenValue.cpp&l=40&rcl=1460056692
,
Jun 9 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5594892564168704 Fuzzer: inferno_layout_test_unmodified Job Type: windows_asan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000000 Crash State: v8::internal::Map::TransitionToDataProperty v8::internal::LookupIterator::PrepareTransitionToDataProperty v8::internal::Object::AddDataProperty Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_content_shell&range=379564:379959 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94zxPj8UVI56Ll9tAvCDSbBstPKIRKj8qW7JHlezuEf718FXyoOq4zkcC0u1FmEyDsSQstB0PKemk4NIKRKp6MhEo5jf2U9O3JrzUTPInJRtazR391ApvqYxzlOSLjfbYN53KFBM_DinmS7fqmRTgy9e7XC8w See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ishell@chromium.org
, Apr 7 2016