New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634269 link

Starred by 1 user
Status: Fixed
Owner: ----
Closed: Aug 2016
Cc:
cbruni@chromium.org
ca...@igalia.com
rossberg@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

(index >= 0) && (index < this->length()) in objects-inl.h

Project Member Reported by ClusterFuzz, Aug 4 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5775679587352576

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  (index >= 0) && (index < this->length()) in objects-inl.h
  
Regressed: V8: r38265:38266

Minimized Testcase (0.25 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv965d-pASKNuHa5He5NrpFLJVo60XBZjGAY0x54CRKAOOKN0Q8LpU_lLHIk_Z0H5R72KWydeOS_6-Np9oi3Nwlyhl3nDVmJfxLUT230wnBuleIw__WY6kQdzi3x8H8ERiDv0869kyUf3r9Wv6zskrHZAAS5DNw?testcase_id=5775679587352576
__v_1 = new Uint8Array();
Object.defineProperty(__v_1.__proto__, 'length', {value: 42});
(function() {
})();
(function() {
})();
(function() {
  var __v_1 = {
    get 9007199254740992() {
    }  };
Array.prototype.includes.call(new Uint8Array(), 2);
})();


Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mstarzinger@chromium.org, Aug 4 2016

Cc: ca...@igalia.com cbruni@chromium.org rossberg@chromium.org
Status: Available (was: Untriaged)
Regression range and repro point towards Array.prototype.includes CL.
Project Member

Comment 2 by bugdroid1@chromium.org, Aug 4 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/0d7f7dc3ee2181da5f6930925275e8e9342d0897

commit 0d7f7dc3ee2181da5f6930925275e8e9342d0897
Author: caitp <caitp@igalia.com>
Date: Thu Aug 04 15:53:10 2016

[elements] limit TypedElementsAccessor::IncludesValue to backing store length

The contract is that the method is only invoked when there are no elements on
the prototype, and this elements type forbids accessor elements. So it is safe
to limit the search to the end of the backing store.

BUG= chromium:634269 ,  v8:5162 
R=cbruni@chromium.org, mstarzinger@chromium.org

Review-Url: https://codereview.chromium.org/2209273002
Cr-Commit-Position: refs/heads/master@{#38344}

[modify] https://crrev.com/0d7f7dc3ee2181da5f6930925275e8e9342d0897/src/elements.cc
[add] https://crrev.com/0d7f7dc3ee2181da5f6930925275e8e9342d0897/test/mjsunit/es7/regress/regress-634269.js

Comment 3 by mstarzinger@chromium.org, Aug 11 2016

Status: Fixed (was: Available)
This has been fixed by Caitlin. Many thanks. Closing.
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment