Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4686588420554752

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: RUNTIME_ASSERT
Crash Address: 
Crash State:
  size <= Page::kMaxRegularHeapObjectSize in src/runtime/runtime-internal.cc
  

Minimized Testcase (0.16 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94hg6sLZhaX61kyd6jlhAEY2oMIcWILjlAkbP7OEih-qiF3k0Rmy_4lDmf_hrJJyydqbjB7wyJ8W_JOfyAOJhnLKlT9mSc5eI1afI8abi7R53-2QHO93j1gXVbicLv8XE_i_PCN978o40JWelfVRxLaUS47fg
__v_21 = Math.pow(2, 15) * 3 / 2;
__v_22 = [];
while (--__v_21 >= 0) {
  __v_22.push(0);
  __v_22.push(0xFFFF + 1);
}
String.fromCodePoint.apply(null, __v_22);


Filer: manoranjanr

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

This is due to our FastNewStrictArgumentsStub no longer having a runtime fallback. The stub assumes it can allocate the object in new-space always, which doesn't hold for very large arguments objects (see repro in comment #1). I suspect this the following change to be related:

https://codereview.chromium.org/1693513002/

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4821407586582528

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= Page::kMaxRegularHeapObjectSize in runtime-internal.cc
  

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95Rep04sNwQjpErnGnezKh_SX3SkhFTAdTfZ-fxDZp1SdjvCD1Ed4njoD4aGr6N8appt6tu1fVhpe4TnS31PYyw-_mAEVEMi7soBv38dI9RcpGPoo0e90n7Qgnj0bXKXj4yzrQystfa0oBe3wdu_4bnJ_goTA
__v_1 = Math.pow(2, 15) * 3 / 2;
__v_2 = [];
while (--__v_1 >= 0) {
  __v_2.push(0);
}
__v_1 = Math.pow(2, 15) * 3 / 2;
while (--__v_1 >= 0) {
  __v_2.push(0xFFFF + 1);
}
String.fromCodePoint.apply(null, __v_2);


Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e95cfafb67dba67eb7c541d97f5e69f8280df771

commit e95cfafb67dba67eb7c541d97f5e69f8280df771
Author: mstarzinger <mstarzinger@chromium.org>
Date: Mon Jun 13 08:22:50 2016

Fix arguments object stubs for large arrays.

This fixes FastNewStrictArgumentsStub and FastNewRestParameterStub to no
longer assume that the strict arguments object being allocated will fit
into new-space. The case where said object needs to move to large object
space is now handled in the runtime.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-614727
BUG= chromium:614727 

Review-Url: https://codereview.chromium.org/2054853002
Cr-Commit-Position: refs/heads/master@{#36917}

[modify] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/src/arm/code-stubs-arm.cc
[modify] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/src/arm64/code-stubs-arm64.cc
[modify] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/src/compiler/js-create-lowering.cc
[modify] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/src/ia32/code-stubs-ia32.cc
[modify] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/src/mips/code-stubs-mips.cc
[modify] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/src/mips64/code-stubs-mips64.cc
[modify] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/src/x64/code-stubs-x64.cc
[add] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/test/mjsunit/regress/regress-crbug-614727.js

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4686588420554752

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: RUNTIME_ASSERT
Crash Address: 
Crash State:
  size <= Page::kMaxRegularHeapObjectSize in src/runtime/runtime-internal.cc
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96D4FlecdPmN8LplKtiiqQILF9mPB5jLY_K7cnpIHUvF8l1ZZgWK__yM0cqslKu4NAGBiZ4DXFzmGU0m4cIdYo2pQj1pLXhncJVEdQXGbxpQYqMPrrrPyAML9kFbxRLx_3wuoFnJ9N0ipk_UNzBjIeE0Q7XJ96pAU3Bwa_hfgwuHVzRNs0


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This is fixed.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/145e16c39fab61b43ded33c6c2f18b596634bf39

commit 145e16c39fab61b43ded33c6c2f18b596634bf39
Author: bjaideep <bjaideep@ca.ibm.com>
Date: Mon Jun 13 15:28:02 2016

PPC: Fix arguments object stubs for large arrays.

Port e95cfafb67dba67eb7c541d97f5e69f8280df771

Original commit message:

    This fixes FastNewStrictArgumentsStub and FastNewRestParameterStub to no
    longer assume that the strict arguments object being allocated will fit
    into new-space. The case where said object needs to move to large object
    space is now handled in the runtime.

R=mstarzinger@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG= chromium:614727 
LOG=N

Review-Url: https://codereview.chromium.org/2060893002
Cr-Commit-Position: refs/heads/master@{#36934}

[modify] https://crrev.com/145e16c39fab61b43ded33c6c2f18b596634bf39/src/ppc/code-stubs-ppc.cc

ClusterFuzz has detected this issue as fixed in range 36916:36917.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4821407586582528

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= Page::kMaxRegularHeapObjectSize in runtime-internal.cc
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_dbg&range=36916:36917

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95Rep04sNwQjpErnGnezKh_SX3SkhFTAdTfZ-fxDZp1SdjvCD1Ed4njoD4aGr6N8appt6tu1fVhpe4TnS31PYyw-_mAEVEMi7soBv38dI9RcpGPoo0e90n7Qgnj0bXKXj4yzrQystfa0oBe3wdu_4bnJ_goTA
__v_1 = Math.pow(2, 15) * 3 / 2;
__v_2 = [];
while (--__v_1 >= 0) {
  __v_2.push(0);
}
__v_1 = Math.pow(2, 15) * 3 / 2;
while (--__v_1 >= 0) {
  __v_2.push(0xFFFF + 1);
}
String.fromCodePoint.apply(null, __v_2);


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot