New issue
Advanced search Search tips

Issue 625549 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jul 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

RUNTIME_ASSERT in args[argc + 1]->IsJSReceiver() in runtime-array.cc

Project Member Reported by ClusterFuzz, Jul 4 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4564292183785472

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: RUNTIME_ASSERT
Crash Address: 
Crash State:
  args[argc + 1]->IsJSReceiver() in runtime-array.cc
  
Regressed: V8: r37476:37477

Minimized Testcase (0.14 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95p1YV0qXWq3LTZm850JyqThOUJNPM_mXv6MJ-oeM1n19hsW66-5gD8dcelrT2Vi9D5cmQ8GXehpqiCGXKNnpiABHHmR_CDBh6UDmN7tad_oetws4Hm5GUzZnaJRYeIyrtGgDyVX0UYfttCih0C5PXBjgigFQ?testcase_id=4564292183785472
for (var __v_0 = 0; ; __v_0++) {
  if (__v_0 > 100) break;
}
  function __f_6(arg) {
    return Array(arg);
  }
  __f_6(0);
  __f_6(2147483648);


Filer: ishell

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Owner: danno@chromium.org
Status: Assigned (was: Available)
CF points to this CL: bd0d9e7d87d418b0c6a84f298e27058645083dad.
Cc: bmeu...@chromium.org jarin@chromium.org
 Issue 625550  has been merged into this issue.
 Issue 625551  has been merged into this issue.
 Issue 625554  has been merged into this issue.
 Issue 625325  has been merged into this issue.
Cc: danno@chromium.org
 Issue 625568  has been merged into this issue.
 Issue 625324  has been merged into this issue.
 Issue 625323  has been merged into this issue.
Labels: merg
Status: Fixed (was: Assigned)
Fixed by https://codereview.chromium.org/2122643003/
Cc: hablich@chromium.org adamk@chromium.org
 Issue 625556  has been merged into this issue.
Project Member

Comment 12 by ClusterFuzz, Jul 4 2016

ClusterFuzz has detected this issue as fixed in range 37498:37499.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4564292183785472

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: RUNTIME_ASSERT
Crash Address: 
Crash State:
  args[argc + 1]->IsJSReceiver() in runtime-array.cc
  
Regressed: V8: r37476:37477
Fixed: V8: r37498:37499

Minimized Testcase (0.14 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95p1YV0qXWq3LTZm850JyqThOUJNPM_mXv6MJ-oeM1n19hsW66-5gD8dcelrT2Vi9D5cmQ8GXehpqiCGXKNnpiABHHmR_CDBh6UDmN7tad_oetws4Hm5GUzZnaJRYeIyrtGgDyVX0UYfttCih0C5PXBjgigFQ?testcase_id=4564292183785472
for (var __v_0 = 0; ; __v_0++) {
  if (__v_0 > 100) break;
}
  function __f_6(arg) {
    return Array(arg);
  }
  __f_6(0);
  __f_6(2147483648);


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment