Issue metadata
Sign in to add a comment
|
Crash in v8::internal::Heap::AllocateFillerObject |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5302815169970176 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN WRITE Crash Address: 0xbebebebe Crash State: v8::internal::Heap::AllocateFillerObject v8::internal::Factory::NewFillerObject v8::internal::Runtime_AllocateInTargetSpace Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=400073:400083 Minimized Testcase (0.18 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94txdKfrFiSXmZlekEW_NdsEnGEKcz7fLD7Rm5h1nqJb2W1ni0EofX-3v5-U9Vb65IzPNtamk60rvc180Otb6QsfrRYgYP2QAmvFyDpDq_sISEP7JqNTJoqkyv71BcI65WSOtGBybYni-aAD9gci79d70SRzg var __v_3 = ""; function __f_1() { gc(); } __f_1(); for (var __v_2 = 1073741823; __v_2 < 2147483648; __v_2++) { __v_3 += ("var a" + __v_2 + " = " + __v_2 + ";"); } try { } catch(e) {; } Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 17 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5302815169970176 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN WRITE Crash Address: 0xbebebebe Crash State: v8::internal::Heap::AllocateFillerObject v8::internal::Factory::NewFillerObject v8::internal::Runtime_AllocateInTargetSpace Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=400073:400083 Minimized Testcase (0.18 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94txdKfrFiSXmZlekEW_NdsEnGEKcz7fLD7Rm5h1nqJb2W1ni0EofX-3v5-U9Vb65IzPNtamk60rvc180Otb6QsfrRYgYP2QAmvFyDpDq_sISEP7JqNTJoqkyv71BcI65WSOtGBybYni-aAD9gci79d70SRzg var __v_3 = ""; function __f_1() { gc(); } __f_1(); for (var __v_2 = 1073741823; __v_2 < 2147483648; __v_2++) { __v_3 += ("var a" + __v_2 + " = " + __v_2 + ";"); } try { } catch(e) {; } See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 17 2016
,
Jun 17 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 17 2016
,
Jun 22 2016
,
Jul 7 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/infra/puppet/+/b240e809ba2aaa38c82064fd4200e44e8a6a544e commit b240e809ba2aaa38c82064fd4200e44e8a6a544e Author: Elliott Friedman <friedman@google.com> Date: Thu Jul 07 19:53:50 2016
,
Sep 28 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Jun 16 2016Status: Assigned (was: Available)