object->FitsRepresentation(representation) in src/objects-inl.h |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6296878068531200 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: object->FitsRepresentation(representation) in src/objects-inl.h Minimized Testcase (0.21 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95DBXDbP0zT9aj6s7S42DSvJxvzaIwMRyOXwBsnp-B0P4cz0D6oH_OekCmPybgZS_DlwdDrR_aMauBOK69anejlUkbWl-iK_xSG-hHD_of0zkNu4Del4mO8gHseouH026VC8VfVnbZX59C7hBCndkW66Xowcg function __f_3(a, b, c) { this.b = b; this.c = c; } __v_2 = new __f_3(1, 2, 3.5); __v_1 = new __f_3(1, 2.5, 3); function __f_2(o) { o.d = 1; } __f_2(__v_2); (function __f_5() { Object.assign(__v_1, __v_1); })(); Filer: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/1678bb557c8333283bb88e8853c1aa2cb6eb3d5c commit 1678bb557c8333283bb88e8853c1aa2cb6eb3d5c Author: verwaest <verwaest@chromium.org> Date: Mon Apr 25 15:40:38 2016 MigrateInstance(target) before Object.assign(target, ...) If the target is deprecated, the object will be updated on first store. If the source for that store equals the target, this will invalidate the cached representation of the source. Preventively upgrade the target. BUG= chromium:604300 LOG=n Review URL: https://codereview.chromium.org/1905933002 Cr-Commit-Position: refs/heads/master@{#35770} [modify] https://crrev.com/1678bb557c8333283bb88e8853c1aa2cb6eb3d5c/src/builtins.cc [add] https://crrev.com/1678bb557c8333283bb88e8853c1aa2cb6eb3d5c/test/mjsunit/regress/regress-object-assign-deprecated-2.js [add] https://crrev.com/1678bb557c8333283bb88e8853c1aa2cb6eb3d5c/test/mjsunit/regress/regress-object-assign-deprecated.js
,
Apr 25 2016
ClusterFuzz has detected this issue as fixed in range 35769:35770. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6296878068531200 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: object->FitsRepresentation(representation) in src/objects-inl.h Regressed: V8: r34152:34153 Fixed: V8: r35769:35770 Minimized Testcase (0.21 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95DBXDbP0zT9aj6s7S42DSvJxvzaIwMRyOXwBsnp-B0P4cz0D6oH_OekCmPybgZS_DlwdDrR_aMauBOK69anejlUkbWl-iK_xSG-hHD_of0zkNu4Del4mO8gHseouH026VC8VfVnbZX59C7hBCndkW66Xowcg function __f_3(a, b, c) { this.b = b; this.c = c; } __v_2 = new __f_3(1, 2, 3.5); __v_1 = new __f_3(1, 2.5, 3); function __f_2(o) { o.d = 1; } __f_2(__v_2); (function __f_5() { Object.assign(__v_1, __v_1); })(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 26 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by ishell@chromium.org
, Apr 18 2016Owner: verwa...@chromium.org
Status: Assigned (was: Available)