args[0]->IsJSArray() in runtime-array.cc |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6162555521466368 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: args[0]->IsJSArray() in runtime-array.cc Regressed: V8: r37868:37869 Minimized Testcase (0.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95HCjmQ-hvajFoKp6Oww7psbiabvnNs7kgO8_ZLS5X6deuQoFOqIVEqG8SYox1xxP7j1lbJSoLTlwU1IHZ3gP0dLan-lOGBCWcZ7414QAOWiEASa1r3xMsLfvivAebZwwWF_YWMP2E_OaDQ77lxtHkewt2pYQ?testcase_id=6162555521466368 Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 21 2016
ClusterFuzz has detected this issue as fixed in range 37918:37919. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6162555521466368 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: args[0]->IsJSArray() in runtime-array.cc Regressed: V8: r37868:37869 Fixed: V8: r37918:37919 Minimized Testcase (0.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95HCjmQ-hvajFoKp6Oww7psbiabvnNs7kgO8_ZLS5X6deuQoFOqIVEqG8SYox1xxP7j1lbJSoLTlwU1IHZ3gP0dLan-lOGBCWcZ7414QAOWiEASa1r3xMsLfvivAebZwwWF_YWMP2E_OaDQ77lxtHkewt2pYQ?testcase_id=6162555521466368 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 21 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 21 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f793cb1fc36f7ab0929b476e2ca66f2c176376b1 commit f793cb1fc36f7ab0929b476e2ca66f2c176376b1 Author: bmeurer <bmeurer@chromium.org> Date: Thu Jul 21 07:22:54 2016 [runtime] %TransitionElementsKind works for any kind of JSObject. The optimizing compilers actually invoke %TransitionElementsKind for any kind of JSObject, the only relevant thing is the elements kind. The runtime function was however checking for JSArray unnecessarily. This only worked by coincindence in Crankshaft because the stub would normally not call into the runtime fallback. R=jarin@chromium.org BUG= chromium:629823 Review-Url: https://codereview.chromium.org/2166963004 Cr-Commit-Position: refs/heads/master@{#37919} [modify] https://crrev.com/f793cb1fc36f7ab0929b476e2ca66f2c176376b1/src/runtime/runtime-array.cc [add] https://crrev.com/f793cb1fc36f7ab0929b476e2ca66f2c176376b1/test/mjsunit/regress/regress-crbug-629823.js
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by mstarzinger@chromium.org
, Jul 20 2016Owner: bmeu...@chromium.org
Status: Assigned (was: Available)