(value & V8_UINT64_C(ADDRESS)) != unexpected || (value & V8_UINT64_C(ADDRESS)) = |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4938925525434368 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: (value & V8_UINT64_C(ADDRESS)) != unexpected || (value & V8_UINT64_C(ADDRESS)) = Minimized Testcase (0.31 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95YJVoX6gT3JJa3zMpjV_AVa3EmjxozCwsYx6QyYVKaaTA0vEuHSHlESYr07qn6mhOlOXbl2c-vSaPH_44Kty5OH3remHBPN_elt58u77kI2cQk8rMbWeRhuMa5FiMYW5PeodQRbGRmO_DwfMBoaGEwtQ0c3Q var __v_10 = {}; (function __f_1() { function __f_2(src, dst, i) { dst[i] = src[i]; } var __v_2 = new ArrayBuffer(16); var __v_1 = new Int32Array(__v_2); __v_1[1] = 0xFFF7FFFF; var __v_3 = new Float64Array(__v_2); var __v_0 = [,0.1]; __f_2(__v_3, __v_0, -1073741825); __f_2(__v_3, __v_0, 0); })(); Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/a81c66546ee4ce85bf6894b087a898752cc651d1 commit a81c66546ee4ce85bf6894b087a898752cc651d1 Author: ishell <ishell@chromium.org> Date: Thu Jun 23 08:26:53 2016 [mips] Fix using signaling NaN for holes in fixed double arrays. BUG= chromium:620650 Review-Url: https://codereview.chromium.org/2086343002 Cr-Commit-Position: refs/heads/master@{#37207} [modify] https://crrev.com/a81c66546ee4ce85bf6894b087a898752cc651d1/src/mips/macro-assembler-mips.cc [modify] https://crrev.com/a81c66546ee4ce85bf6894b087a898752cc651d1/src/mips/macro-assembler-mips.h [add] https://crrev.com/a81c66546ee4ce85bf6894b087a898752cc651d1/test/mjsunit/regress/regress-crbug-620650.js
,
Jun 23 2016
,
Jun 24 2016
ClusterFuzz has detected this issue as fixed in range 37206:37207. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4938925525434368 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: (value & V8_UINT64_C(ADDRESS)) != unexpected || (value & V8_UINT64_C(ADDRESS)) = Fixed: V8: r37206:37207 Minimized Testcase (0.31 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95YJVoX6gT3JJa3zMpjV_AVa3EmjxozCwsYx6QyYVKaaTA0vEuHSHlESYr07qn6mhOlOXbl2c-vSaPH_44Kty5OH3remHBPN_elt58u77kI2cQk8rMbWeRhuMa5FiMYW5PeodQRbGRmO_DwfMBoaGEwtQ0c3Q?testcase_id=4938925525434368 var __v_10 = {}; (function __f_1() { function __f_2(src, dst, i) { dst[i] = src[i]; } var __v_2 = new ArrayBuffer(16); var __v_1 = new Int32Array(__v_2); __v_1[1] = 0xFFF7FFFF; var __v_3 = new Float64Array(__v_2); var __v_0 = [,0.1]; __f_2(__v_3, __v_0, -1073741825); __f_2(__v_3, __v_0, 0); })(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by ishell@chromium.org
, Jun 22 2016Status: Assigned (was: Available)