RUNTIME_ASSERT in size <= Page::kMaxRegularHeapObjectSize in src/runtime/runtime-internal.cc |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4686588420554752 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: RUNTIME_ASSERT Crash Address: Crash State: size <= Page::kMaxRegularHeapObjectSize in src/runtime/runtime-internal.cc Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96D4FlecdPmN8LplKtiiqQILF9mPB5jLY_K7cnpIHUvF8l1ZZgWK__yM0cqslKu4NAGBiZ4DXFzmGU0m4cIdYo2pQj1pLXhncJVEdQXGbxpQYqMPrrrPyAML9kFbxRLx_3wuoFnJ9N0ipk_UNzBjIeE0Q7XJ96pAU3Bwa_hfgwuHVzRNs0 Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 27 2016
,
Jun 9 2016
This is due to our FastNewStrictArgumentsStub no longer having a runtime fallback. The stub assumes it can allocate the object in new-space always, which doesn't hold for very large arguments objects (see repro in comment #1). I suspect this the following change to be related: https://codereview.chromium.org/1693513002/
,
Jun 9 2016
,
Jun 10 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4821407586582528 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: size <= Page::kMaxRegularHeapObjectSize in runtime-internal.cc Minimized Testcase (0.21 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95Rep04sNwQjpErnGnezKh_SX3SkhFTAdTfZ-fxDZp1SdjvCD1Ed4njoD4aGr6N8appt6tu1fVhpe4TnS31PYyw-_mAEVEMi7soBv38dI9RcpGPoo0e90n7Qgnj0bXKXj4yzrQystfa0oBe3wdu_4bnJ_goTA __v_1 = Math.pow(2, 15) * 3 / 2; __v_2 = []; while (--__v_1 >= 0) { __v_2.push(0); } __v_1 = Math.pow(2, 15) * 3 / 2; while (--__v_1 >= 0) { __v_2.push(0xFFFF + 1); } String.fromCodePoint.apply(null, __v_2); Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e95cfafb67dba67eb7c541d97f5e69f8280df771 commit e95cfafb67dba67eb7c541d97f5e69f8280df771 Author: mstarzinger <mstarzinger@chromium.org> Date: Mon Jun 13 08:22:50 2016 Fix arguments object stubs for large arrays. This fixes FastNewStrictArgumentsStub and FastNewRestParameterStub to no longer assume that the strict arguments object being allocated will fit into new-space. The case where said object needs to move to large object space is now handled in the runtime. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-614727 BUG= chromium:614727 Review-Url: https://codereview.chromium.org/2054853002 Cr-Commit-Position: refs/heads/master@{#36917} [modify] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/src/arm/code-stubs-arm.cc [modify] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/src/arm64/code-stubs-arm64.cc [modify] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/src/compiler/js-create-lowering.cc [modify] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/src/ia32/code-stubs-ia32.cc [modify] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/src/mips/code-stubs-mips.cc [modify] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/src/mips64/code-stubs-mips64.cc [modify] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/src/x64/code-stubs-x64.cc [add] https://crrev.com/e95cfafb67dba67eb7c541d97f5e69f8280df771/test/mjsunit/regress/regress-crbug-614727.js
,
Jun 13 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4686588420554752 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: RUNTIME_ASSERT Crash Address: Crash State: size <= Page::kMaxRegularHeapObjectSize in src/runtime/runtime-internal.cc Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96D4FlecdPmN8LplKtiiqQILF9mPB5jLY_K7cnpIHUvF8l1ZZgWK__yM0cqslKu4NAGBiZ4DXFzmGU0m4cIdYo2pQj1pLXhncJVEdQXGbxpQYqMPrrrPyAML9kFbxRLx_3wuoFnJ9N0ipk_UNzBjIeE0Q7XJ96pAU3Bwa_hfgwuHVzRNs0 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 13 2016
This is fixed.
,
Jun 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/145e16c39fab61b43ded33c6c2f18b596634bf39 commit 145e16c39fab61b43ded33c6c2f18b596634bf39 Author: bjaideep <bjaideep@ca.ibm.com> Date: Mon Jun 13 15:28:02 2016 PPC: Fix arguments object stubs for large arrays. Port e95cfafb67dba67eb7c541d97f5e69f8280df771 Original commit message: This fixes FastNewStrictArgumentsStub and FastNewRestParameterStub to no longer assume that the strict arguments object being allocated will fit into new-space. The case where said object needs to move to large object space is now handled in the runtime. R=mstarzinger@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com BUG= chromium:614727 LOG=N Review-Url: https://codereview.chromium.org/2060893002 Cr-Commit-Position: refs/heads/master@{#36934} [modify] https://crrev.com/145e16c39fab61b43ded33c6c2f18b596634bf39/src/ppc/code-stubs-ppc.cc
,
Jun 13 2016
ClusterFuzz has detected this issue as fixed in range 36916:36917. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4821407586582528 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: size <= Page::kMaxRegularHeapObjectSize in runtime-internal.cc Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_dbg&range=36916:36917 Minimized Testcase (0.21 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95Rep04sNwQjpErnGnezKh_SX3SkhFTAdTfZ-fxDZp1SdjvCD1Ed4njoD4aGr6N8appt6tu1fVhpe4TnS31PYyw-_mAEVEMi7soBv38dI9RcpGPoo0e90n7Qgnj0bXKXj4yzrQystfa0oBe3wdu_4bnJ_goTA __v_1 = Math.pow(2, 15) * 3 / 2; __v_2 = []; while (--__v_1 >= 0) { __v_2.push(0); } __v_1 = Math.pow(2, 15) * 3 / 2; while (--__v_1 >= 0) { __v_2.push(0xFFFF + 1); } String.fromCodePoint.apply(null, __v_2); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, May 27 2016