Stack-overflow in v8::internal::PerThreadAssertScope< |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5726881678884864 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffc97178a38 Crash State: v8::internal::PerThreadAssertScope< void v8::internal::LookupIterator::Start<false> v8::internal::LookupIterator::LookupIterator Regressed: V8: r38288:38289 Minimized Testcase (0.27 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95U311Cn5th-eHeplc1_l6a864RODiGJfuLe4ao9DeDbcZORK8WdlnLQcE-yF2U-raJi5DSLvoxD2w0y4I9Mr9OeADbyq_v0L9mPhT3HMolCb5FqV5Zc6hADyioxaSGNazGNtTC45LyJ0DFVQsUlRNgdTHQwg?testcase_id=5726881678884864 v3 = new EvalError(); v5 = new SyntaxError(); Object.defineProperty(v3.__proto__, "name", { get: function() { v5.toString(); } }); SyntaxError.prototype.__defineGetter__("message", function() { this["name"] = v5; Reflect.apply(v5); }) v12 = new TypeError(v3); Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 3 2016
Minimized testcase: error = new Error(); error.name = error; Reflect.apply(error);
,
Aug 4 2016
,
Aug 4 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4783943218102272 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: Stack-overflow Crash Address: 0xff4a2f90 Crash State: v8::internal::Object::ToString v8::internal::Object::NoSideEffectsToString v8::internal::Object::NoSideEffectsToString Regressed: V8: r38288:38289 Minimized Testcase (0.16 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94Zp9Sdf5JK3T_s7v8e5nIB0gxyNwVLkyYqV32JDJqFU9goLUX7Er3JU35BZauKOzJpItZvNNRziq3C1CPVUv-nZ90lu45rEszsP5QKweUwjDeTF58LCglJYrT-3LvJ_GYceKl_nQjSuoeapVRLEs4L0-Lm8w?testcase_id=4783943218102272 v5 = new RangeError(); Object.defineProperty(v5, 1, { get: function() { v5["message"] = v5; }}); v27 = v5[1]; v40 = new Int8Array(); v45 = v40.every(v5); Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 4 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4783943218102272 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: Stack-overflow Crash Address: 0xff4a2f90 Crash State: v8::internal::Object::ToString v8::internal::Object::NoSideEffectsToString v8::internal::Object::NoSideEffectsToString Regressed: V8: r38288:38289 Minimized Testcase (0.16 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94Zp9Sdf5JK3T_s7v8e5nIB0gxyNwVLkyYqV32JDJqFU9goLUX7Er3JU35BZauKOzJpItZvNNRziq3C1CPVUv-nZ90lu45rEszsP5QKweUwjDeTF58LCglJYrT-3LvJ_GYceKl_nQjSuoeapVRLEs4L0-Lm8w?testcase_id=4783943218102272 v5 = new RangeError(); Object.defineProperty(v5, 1, { get: function() { v5["message"] = v5; }}); v27 = v5[1]; v40 = new Int8Array(); v45 = v40.every(v5); Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 4 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by mstarzinger@chromium.org
, Aug 3 2016Owner: jgruber@chromium.org
Status: Assigned (was: Untriaged)