!v8::internal::FLAG_enable_slow_asserts || (object->IsSmi()) in objects-inl.h |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4891967416958976 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !v8::internal::FLAG_enable_slow_asserts || (object->IsSmi()) in objects-inl.h Regressed: V8: r38265:38266 Minimized Testcase (0.26 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv974t5oR6ICAA-x61UtlSWgJfzYg7rr4HY1BOygKojYT_OXsTzznbm6D3tHC5rL0tAP6530DXIQcDz_HJx7Cda3Nd6RtkaKZtLDiltAdQUqXMlmG92lwK3-MGt9vaQgu4CrKbrN5g78UJnUWb06USfX6mZbERQ?testcase_id=4891967416958976 var v7 = eval(); var v8 = eval(); var v10 = eval(); v13 = new Array(v10, v10, v7); v18 = v13.copyWithin(); v35 = new WeakMap(); Object.defineProperty(v18, 0, { get: function() { v13.push(v8, v10); }}); v13[0x80000] = 1; v48 = v13.includes(v35); Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 4 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/9977a2caf30329e60bed69c459e19d85f162abfe commit 9977a2caf30329e60bed69c459e19d85f162abfe Author: caitp <caitp@igalia.com> Date: Thu Aug 04 19:05:40 2016 [elements] update Dictionary in IncludesValue if own elements change Ensure that receiver->elements() == *dictionary after calling an accessor, in addition to checking the prototype. BUG= chromium:634273 , chromium: 634357, v8:5162 R=cbruni@chromium.org, mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2212963002 Cr-Commit-Position: refs/heads/master@{#38347} [modify] https://crrev.com/9977a2caf30329e60bed69c459e19d85f162abfe/src/elements.cc [add] https://crrev.com/9977a2caf30329e60bed69c459e19d85f162abfe/test/mjsunit/es7/regress/regress-634273.js [add] https://crrev.com/9977a2caf30329e60bed69c459e19d85f162abfe/test/mjsunit/es7/regress/regress-634357.js
,
Aug 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/0dabe5f6fe3d5962d55cdd70fb83d9cfcfb4a4e0 commit 0dabe5f6fe3d5962d55cdd70fb83d9cfcfb4a4e0 Author: machenbach <machenbach@chromium.org> Date: Fri Aug 05 07:05:01 2016 [test] Skip test failing without i18n support BUG= chromium:634273 , chromium:634357 , v8:5162 NOTRY=true TBR=caitp Review-Url: https://codereview.chromium.org/2211383002 Cr-Commit-Position: refs/heads/master@{#38357} [modify] https://crrev.com/0dabe5f6fe3d5962d55cdd70fb83d9cfcfb4a4e0/test/mjsunit/mjsunit.status
,
Aug 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6cd494feada97744564843de2bbf1007267faa65 commit 6cd494feada97744564843de2bbf1007267faa65 Author: caitp <caitp@igalia.com> Date: Fri Aug 05 12:54:23 2016 [test] don't use Intl.Collator in non-Intl regression test Unskip test which failed with Intl support disabled, and avoid using Intl objects within the test. BUG= chromium:634273 , chromium:634357 , v8:5162 NOTRY=true R=mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2218743003 Cr-Commit-Position: refs/heads/master@{#38384} [modify] https://crrev.com/6cd494feada97744564843de2bbf1007267faa65/test/mjsunit/es7/regress/regress-634357.js [modify] https://crrev.com/6cd494feada97744564843de2bbf1007267faa65/test/mjsunit/mjsunit.status
,
Aug 11 2016
This has been fixed by Caitlin. Many thanks. Closing.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by mstarzinger@chromium.org
, Aug 4 2016Status: Available (was: Untriaged)