Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5279443283345408

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN WRITE
Crash Address: 0xbebebebe
Crash State:
  v8::internal::Heap::AllocateHeapNumber
  v8::internal::Factory::NewHeapNumber
  v8::internal::Runtime_AllocateHeapNumber
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=399917:399984

Minimized Testcase (1.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96QCP5SbcOrVz4OmCQXkol2-JXmH5fOoXSef7snh9u2Q8Dddr-yT1A90fWgs24_7-Au7vjhVRIXG_G5_vKYF1BmKcun62vmnN-knr8Lgn3pQSyIo5JAtt_esvivwzWK1nqIBWqJ3NDW5Nf_2EV2CO20P3sH-g

Filer: inferno

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6648505599000576

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN WRITE
Crash Address: 0xbebebebe
Crash State:
  v8::internal::Heap::AllocateHeapNumber
  v8::internal::Factory::NewHeapNumber
  v8::internal::Factory::NewNumberFromUint
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=400026:400041

Minimized Testcase (0.15 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96XEhzaeCZtpwNwEEP_OJuR3j0_A2GV1ys7DxKM-KB3C98PVrd7GCthZwC-lVkUbhGFcypRAN4ca2rCEwgyoADPgOXmfEcOqgYmID4P3Ey0ppUgA2xVyZNg3AMHEFbyGSNaAXwH9p2LApkIANYcgER3wf7-yg
gc();
try {
 __v_2;
} catch(e) {; }
__v_5 = {
};
__v_4 = [];
__v_5 = {
};
for (var __v_3 = 1073741823; __v_3 < 4294967295; __v_3++) __v_4[__v_3] = __v_3;


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Fixed by:

commit 2263ee9bf4e5aa341cbac547add68a2105963477
Author: mlippautz <mlippautz@chromium.org>
Date:   Thu Jun 16 09:52:45 2016 -0700

    Revert of [heap] Add page evacuation mode for new->new (patchset #18 id:440001 of https://codereview.chromium.org/1957323003/ )
    
    Reason for revert:
    Fragmentation of LABs could result in increasing memory usage (pages) instead of shrinking.
    
    BUG= chromium:620320 
    LOG=N
    
    Original issue's description:
    > [heap] Add page evacuation mode for new->new
    >
    > Adds an evacuation mode that allows moving pages within new space without
    > copying objects.
    >
    > Basic idea:
    > a) Move page within new space
    > b) Sweep page to make iterable and process ArrayBuffers
    > c) Finish sweep till next scavenge
    >
    > Threshold is currently 70% live bytes, i.e., the same threshold we use
    > to determine fragmented pages.
    >
    > BUG=chromium:581412
    > LOG=N
    > CQ_EXTRA_TRYBOTS=tryserver.v8:v8_linux_arm64_gc_stress_dbg,v8_linux_gc_stress_dbg,v8_mac_gc_stress_dbg,v8_linux64_tsan_rel,v8_mac64_asan_rel
    >
    > Committed: https://crrev.com/49b23201671b25092a3c22eb85783f39b95a5f87
    > Cr-Commit-Position: refs/heads/master@{#36990}
    
    TBR=ulan@chromium.org
    # Not skipping CQ checks because original CL landed more than 1 days ago.
    BUG=chromium:581412
    
    Review-Url: https://codereview.chromium.org/2063013005
    Cr-Commit-Position: refs/heads/master@{#37042}

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5279443283345408

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN WRITE
Crash Address: 0xbebebebe
Crash State:
  v8::internal::Heap::AllocateHeapNumber
  v8::internal::Factory::NewHeapNumber
  v8::internal::Runtime_AllocateHeapNumber
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=399917:399984

Minimized Testcase (1.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96QCP5SbcOrVz4OmCQXkol2-JXmH5fOoXSef7snh9u2Q8Dddr-yT1A90fWgs24_7-Au7vjhVRIXG_G5_vKYF1BmKcun62vmnN-knr8Lgn3pQSyIo5JAtt_esvivwzWK1nqIBWqJ3NDW5Nf_2EV2CO20P3sH-g?testcase_id=5279443283345408

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Bisects to:

commit 7d5969da3d2b1a9b08c6fc6517d69f8ca4aca94c
Author: mlippautz <mlippautz@chromium.org>
Date:   Mon Jun 20 06:19:25 2016 -0700

    Reland "[heap] Add page evacuation mode for new->new"
    
    Adds an evacuation mode that allows moving pages within new space without
    copying objects.
    
    Basic idea:
    a) Move page within new space
    b) Sweep page to make iterable and process ArrayBuffers
    c) Finish sweep till next scavenge
    
    Threshold is currently 70% live bytes, i.e., the same threshold we use
    to determine fragmented pages.
    
    This reverts commit 2263ee9bf4e5aa341cbac547add68a2105963477.
    
    BUG=chromium:581412
    LOG=N
    CQ_EXTRA_TRYBOTS=tryserver.v8:v8_linux_arm64_gc_stress_dbg,v8_linux_gc_stress_dbg,v8_mac_gc_stress_dbg,v8_linux64_tsan_rel,v8_mac64_asan_rel
    
    Review-Url: https://codereview.chromium.org/2078863002
    Cr-Commit-Position: refs/heads/master@{#37104}

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

- Your friendly ClusterFuzz

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/21b55c4aa5fd47da0ef3802c88f6da41690b7d1f

commit 21b55c4aa5fd47da0ef3802c88f6da41690b7d1f
Author: mlippautz <mlippautz@chromium.org>
Date: Wed Jun 22 09:07:30 2016

[heap] Fix check in AdvancePage

Failing to do the right check in AdvancePage results in a crash in a CHECK later
in EnsureCurrentCapacity.

BUG= chromium:620750 ,chromium:622115
LOG=N
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2090013002
Cr-Commit-Position: refs/heads/master@{#37171}

[modify] https://crrev.com/21b55c4aa5fd47da0ef3802c88f6da41690b7d1f/src/heap/spaces.h
[add] https://crrev.com/21b55c4aa5fd47da0ef3802c88f6da41690b7d1f/test/mjsunit/regress/regress-620750.js

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot