DICTIONARY_ELEMENTS == elements_kind in src/code-stubs.h |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4610880938967040 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: DICTIONARY_ELEMENTS == elements_kind in src/code-stubs.h Minimized Testcase (0.29 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96ZU_NCSEKsBNPEfJ_xL24cZs6AQ-Ob7DEuyuO1brQ6kN8INuRSR7jBuemuUrR67hI4Exyasy2yKrvZ9JhPQQhyU4NxBWRhaYJCUOOyRKkD7qEsCQQ1NP5SWqON8u-trY3-g34LlfyAKzAtfoGvTCR8GI9y_A try { ( { })(); } catch(e) {; } __v_2 = new String(); function __f_4() { __f_3(false, false, false, __v_2); } __f_4(); __f_4(); function __f_3(test, test2, test3, a) { var __v_3; if (test) { __v_3 = __v_3|0; } a[__v_3] = 1; } __v_2 = new Int32Array(10); __f_3(true, false, true, __v_2); Filer: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 12 2016
ClusterFuzz has detected this issue as fixed in range 35396:35397. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4610880938967040 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: DICTIONARY_ELEMENTS == elements_kind in src/code-stubs.h Fixed: V8: r35396:35397 Minimized Testcase (0.29 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96ZU_NCSEKsBNPEfJ_xL24cZs6AQ-Ob7DEuyuO1brQ6kN8INuRSR7jBuemuUrR67hI4Exyasy2yKrvZ9JhPQQhyU4NxBWRhaYJCUOOyRKkD7qEsCQQ1NP5SWqON8u-trY3-g34LlfyAKzAtfoGvTCR8GI9y_A try { ( { })(); } catch(e) {; } __v_2 = new String(); function __f_4() { __f_3(false, false, false, __v_2); } __f_4(); __f_4(); function __f_3(test, test2, test3, a) { var __v_3; if (test) { __v_3 = __v_3|0; } a[__v_3] = 1; } __v_2 = new Int32Array(10); __f_3(true, false, true, __v_2); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 12 2016
Fixed by 58429beb7b030805197c8968bcae4b2c20127804 (bugdroid, Y U NO comment here?).
,
Apr 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f4a9a50147ebc3498e53391f7a9a478a70786a3c commit f4a9a50147ebc3498e53391f7a9a478a70786a3c Author: jkummerow <jkummerow@chromium.org> Date: Fri Apr 22 09:08:16 2016 [tests] Add testcase for r35397 This is a follow-up to 58429beb7b030805197c8968bcae4b2c20127804 "Fix KeyedStore stub selection for STRING_WRAPPER_ELEMENTS". BUG= chromium:602184 LOG=n Review URL: https://codereview.chromium.org/1912443004 Cr-Commit-Position: refs/heads/master@{#35715} [add] https://crrev.com/f4a9a50147ebc3498e53391f7a9a478a70786a3c/test/mjsunit/regress/regress-crbug-602184.js
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by ishell@chromium.org
, Apr 11 2016Owner: jkummerow@chromium.org
Status: Assigned (was: Available)
Reproduces on TOT, bisected to "Introduce {FAST,SLOW}_STRING_WRAPPER_ELEMENTS" (https://codereview.chromium.org/1612323003) out/x64.debug/d8 --predictable test.js ===== test.js ===== function f(test, a) { var v; if (test) { v = v|0; } a[v] = 1; } var v = new String(); f(false, v); f(false, v); v = new Int32Array(10); f(true, v);