array->HasFastSmiOrObjectElements() || array->HasFastDoubleElements() in runtime |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5758424294096896 Fuzzer: decoder_langfuzz Job Type: linux_asan_chrome_v8_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: array->HasFastSmiOrObjectElements() || array->HasFastDoubleElements() in runtime Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_d8&range=36801:36820 Minimized Testcase (10.55 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95n1Jj71m2rMwjWryKBM_wP3A6lgudLMLPpkJKMvoYzwLGyslgV9bAk5J7Gj-R6gzreu0w1IN2WzfxTg9XfFTWJvNdq_brr-srova-hvHkfD224jiRYQDAc5-M-UTISp_kONKocY6ZMZwdEOOk29rM7qyyUMA Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 9 2016
Camillo voiced interest. Feel free to bounce back if you are swamped, I'll find someone else. Thanks!
,
Jun 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/8a88fc142f805dd0feba895ff692d5374ab224f2 commit 8a88fc142f805dd0feba895ff692d5374ab224f2 Author: cbruni <cbruni@chromium.org> Date: Mon Jun 13 10:06:25 2016 [arrays] Fix %GetArrayKeys for special element kinds Array.prototype.sort would not work properly on sloppy arguments of size > 2. BUG= chromium:618613 Review-Url: https://codereview.chromium.org/2051413004 Cr-Commit-Position: refs/heads/master@{#36920} [modify] https://crrev.com/8a88fc142f805dd0feba895ff692d5374ab224f2/src/runtime/runtime-array.cc [modify] https://crrev.com/8a88fc142f805dd0feba895ff692d5374ab224f2/test/mjsunit/array-sort.js
,
Jun 13 2016
ClusterFuzz has detected this issue as fixed in range 36911:36925. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5758424294096896 Fuzzer: decoder_langfuzz Job Type: linux_asan_chrome_v8_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: array->HasFastSmiOrObjectElements() || array->HasFastDoubleElements() in runtime Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_d8&range=36801:36820 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_d8&range=36911:36925 Minimized Testcase (10.55 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95n1Jj71m2rMwjWryKBM_wP3A6lgudLMLPpkJKMvoYzwLGyslgV9bAk5J7Gj-R6gzreu0w1IN2WzfxTg9XfFTWJvNdq_brr-srova-hvHkfD224jiRYQDAc5-M-UTISp_kONKocY6ZMZwdEOOk29rM7qyyUMA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 13 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 15 2016
Issue 620114 has been merged into this issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mstarzinger@chromium.org
, Jun 9 2016