New issue
Advanced search Search tips

Issue 614726 link

Starred by 1 user
Status: Fixed
Owner:
mstarzinger@chromium.org
Closed: Nov 2016
Cc:
jkummerow@chromium.org
ishell@chromium.org
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

!v8::internal::FLAG_enable_slow_asserts || (index >= 0 && index < this->length()

Project Member Reported by ClusterFuzz, May 25 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5262167389765632

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (index >= 0 && index < this->length()
  
Regressed: V8: r36418:36419

Minimized Testcase (0.11 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94j-vY1RiiPnrpkIkYqWaoYgNaU0ZXc7hsGaNb69Skt8hjYxpTge-InP28Wei7W3575bCYIvpazIbJPgkEmIiPhCNtds5EoFt6vFSkq06Vqsq_IOt_3PFr-9GoGRQMJ311yx6E5fyqSdB8DlY-s1OoM1vndPQ
function __f_13() {
  var __v_13 = [10];
  try {
    __f_13();
  } catch(e) {
    __v_13.map();
  }
}
__f_13();


Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mstarzinger@chromium.org, May 27 2016

Labels: -Pri-1 Pri-2
Owner: mstarzinger@chromium.org
Status: Assigned (was: Available)
Most likely escape analysis. I'll take this one.

Comment 2 by mstarzinger@chromium.org, Jun 6 2016 

 Issue 617533  has been merged into this issue.
Project Member

Comment 3 by ClusterFuzz, Jun 8 2016 

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5262167389765632

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (index >= 0 && index < this->length()
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94XUrdzPiIN-QVMP9ctQY2rpQOvubIog5RxuQc8Zml0ZP3Q_bvuS9zTY8Pkis5iWyoI1VmBr65rtsOOjY8ESiIm_5vbMh76ZK_4KDOHhCfHlJJzzkiyHjmDgXw-tf7JlZX96wh2XEc0IU17ypLac9IvU_TU-Q


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Jun 13 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 5 by mstarzinger@chromium.org, Jun 14 2016

Labels: ClusterFuzz-Wrong
Status: Assigned (was: Verified)
Reopening. Not fixed.
Project Member

Comment 6 by ClusterFuzz, Jun 15 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6484135053099008

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (index >= 0 && index < this->length()
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_dbg&range=36418:36419

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96rKFXHF3pmWKrAwyXkI1xPFMpiYM-w2nP24gJ7w6fU6Jhru_ezOXD_GtlFJYZUFkKaPTkrnF-xdUooxSSVfu6l6puwQp1oG4jWxjOw5ByHyAjC29rgxiIfEqT4-wuspimH8qJhQYdsF3HS4LPTceK2onJx8w
function __f_0() {
  var __v_0 = [10];
  try {
    __f_0();
  } catch(e) {
    __v_0.map();
  }
}
__f_0();


Filer: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 7 by ClusterFuzz, Jun 24 2016 

ClusterFuzz has detected this issue as fixed in range 37234:37235.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6484135053099008

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (index >= 0 && index < this->length()
  
Regressed: V8: r36418:36419
Fixed: V8: r37234:37235

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96rKFXHF3pmWKrAwyXkI1xPFMpiYM-w2nP24gJ7w6fU6Jhru_ezOXD_GtlFJYZUFkKaPTkrnF-xdUooxSSVfu6l6puwQp1oG4jWxjOw5ByHyAjC29rgxiIfEqT4-wuspimH8qJhQYdsF3HS4LPTceK2onJx8w?testcase_id=6484135053099008
function __f_0() {
  var __v_0 = [10];
  try {
    __f_0();
  } catch(e) {
    __v_0.map();
  }
}
__f_0();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 8 by mstarzinger@chromium.org, Jun 29 2016

Cc: jkummerow@chromium.org
 Issue 624396  has been merged into this issue.
Project Member

Comment 9 by ClusterFuzz, Jul 11 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5247457785282560

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (index >= 0 && index < this->length()
  
Regressed: V8: r36418:36419

Minimized Testcase (0.13 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94Ra0M-mXVgk6xAqmCCkg4l5nQDfRCR5mdfvQZpdyM7Er-BeARPAIyfvdhxmRk4HgGoLylIcSrNGeQZdj8JrfVyK3Lejz8z378LdeD534jiNSiqvOhSzzUY3DaLLK64db8oikM4zbQr1CRJOULwPSiAeHfsEQ?testcase_id=5247457785282560
(function __f_1() {
})();
function __f_3() {
  var __v_3 = [10];
  try {
    __f_3();
  } catch(e) {
    __v_3.map();
  }
}
__f_3();


Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 10 by ClusterFuzz, Nov 17 2016 

ClusterFuzz has detected this issue as fixed in range 37765:37766.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5247457785282560

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (index >= 0 && index < this->length()
  
Regressed: V8: r36418:36419
Fixed: V8: r37765:37766

Minimized Testcase (0.13 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94Ra0M-mXVgk6xAqmCCkg4l5nQDfRCR5mdfvQZpdyM7Er-BeARPAIyfvdhxmRk4HgGoLylIcSrNGeQZdj8JrfVyK3Lejz8z378LdeD534jiNSiqvOhSzzUY3DaLLK64db8oikM4zbQr1CRJOULwPSiAeHfsEQ?testcase_id=5247457785282560
(function __f_1() {
})();
function __f_3() {
  var __v_3 = [10];
  try {
    __f_3();
  } catch(e) {
    __v_3.map();
  }
}
__f_3();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 11 by mstarzinger@chromium.org, Nov 17 2016

Status: Fixed (was: Assigned)
Project Member

Comment 12 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 13 by infe...@chromium.org, Sep 18 2017

Labels: -ClusterFuzz-Wrong
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Sign in to add a comment