!v8::internal::FLAG_enable_slow_asserts || (object->IsSeededNumberDictionary()) |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4578183750090752 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !v8::internal::FLAG_enable_slow_asserts || (object->IsSeededNumberDictionary()) Regressed: V8: r38265:38266 Minimized Testcase (0.26 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97dHBpI6mZ8wOMgiaIiOLc0GgWotB-j6kEVmSU_2SPjgjeXgaFwebUhXz9Hsa2GGujrz6lVAFtFrdJxnWlyhV6A-gNrfYOdNo3-Z73IHBOcKPgtz16CV_KapJmW8IXUsK67ZEvuP8lVElGfug4jJn_kL9qO3A?testcase_id=4578183750090752 var v4 = {}; v10 = new Float32Array(); var v11 = {}; var v12 = {}; v13 = new Array(v4, v12, v11); v38 = new Intl.Collator(); Object.defineProperty(v13, 1, { get: function() { v13["length"] = v10; v13[0] = -2147483648; } }); v72 = v13.includes( v38); Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 4 2016
seems to be the same issue as 634273, or at least is fixed by my fix for it
,
Aug 4 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/9977a2caf30329e60bed69c459e19d85f162abfe commit 9977a2caf30329e60bed69c459e19d85f162abfe Author: caitp <caitp@igalia.com> Date: Thu Aug 04 19:05:40 2016 [elements] update Dictionary in IncludesValue if own elements change Ensure that receiver->elements() == *dictionary after calling an accessor, in addition to checking the prototype. BUG= chromium:634273 , chromium: 634357, v8:5162 R=cbruni@chromium.org, mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2212963002 Cr-Commit-Position: refs/heads/master@{#38347} [modify] https://crrev.com/9977a2caf30329e60bed69c459e19d85f162abfe/src/elements.cc [add] https://crrev.com/9977a2caf30329e60bed69c459e19d85f162abfe/test/mjsunit/es7/regress/regress-634273.js [add] https://crrev.com/9977a2caf30329e60bed69c459e19d85f162abfe/test/mjsunit/es7/regress/regress-634357.js
,
Aug 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/0dabe5f6fe3d5962d55cdd70fb83d9cfcfb4a4e0 commit 0dabe5f6fe3d5962d55cdd70fb83d9cfcfb4a4e0 Author: machenbach <machenbach@chromium.org> Date: Fri Aug 05 07:05:01 2016 [test] Skip test failing without i18n support BUG= chromium:634273 , chromium:634357 , v8:5162 NOTRY=true TBR=caitp Review-Url: https://codereview.chromium.org/2211383002 Cr-Commit-Position: refs/heads/master@{#38357} [modify] https://crrev.com/0dabe5f6fe3d5962d55cdd70fb83d9cfcfb4a4e0/test/mjsunit/mjsunit.status
,
Aug 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6cd494feada97744564843de2bbf1007267faa65 commit 6cd494feada97744564843de2bbf1007267faa65 Author: caitp <caitp@igalia.com> Date: Fri Aug 05 12:54:23 2016 [test] don't use Intl.Collator in non-Intl regression test Unskip test which failed with Intl support disabled, and avoid using Intl objects within the test. BUG= chromium:634273 , chromium:634357 , v8:5162 NOTRY=true R=mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2218743003 Cr-Commit-Position: refs/heads/master@{#38384} [modify] https://crrev.com/6cd494feada97744564843de2bbf1007267faa65/test/mjsunit/es7/regress/regress-634357.js [modify] https://crrev.com/6cd494feada97744564843de2bbf1007267faa65/test/mjsunit/mjsunit.status
,
Aug 11 2016
This has been fixed by Caitlin. Many thanks. Closing.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by mstarzinger@chromium.org
, Aug 4 2016Status: Available (was: Untriaged)