Crash in v8::internal::Context::native_context |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6274641087954944 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000007 Crash State: v8::internal::Context::native_context v8::internal::Isolate::get_initial_js_array_map v8::internal::Isolate::IsFastArrayConstructorPrototypeChainIntact Regressed: V8: r38417:38418 Minimized Testcase (8.18 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95vAUTID2VE7U1Q46KpM8BBY2a0A9GH-jGzruAEFlHkCqinDFROe9-lihiBoDkc0r46s8i-5vyQWyXG8Sn3N2JoIA5hjHc1OVXn6_wbnbaGsf-qK6thny4ceP6lwyoVXmy9Ow8beK62stQSU0W9JzKwrlHoag?testcase_id=6274641087954944 Issue manually filed by: nyerramilli See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 9 2016
,
Aug 9 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/78727d4362f76cad0e384bdf809d59fba4895195 commit 78727d4362f76cad0e384bdf809d59fba4895195 Author: bmeurer <bmeurer@chromium.org> Date: Tue Aug 09 13:02:52 2016 [runtime] %GrowArrayElements doesn't have a native context in TurboFan. When we compile a growing store in TurboFan, we don't pass a (native) context to the %GrowArrayElements fallback function, as the whole logic is actually context independent. However, that means that we need to bailout early in case the object is a prototype, which requires context dependent checks in the array protector code. R=cbruni@chromium.org BUG= chromium:635798 Review-Url: https://codereview.chromium.org/2224253003 Cr-Commit-Position: refs/heads/master@{#38491} [modify] https://crrev.com/78727d4362f76cad0e384bdf809d59fba4895195/src/runtime/runtime-array.cc [add] https://crrev.com/78727d4362f76cad0e384bdf809d59fba4895195/test/mjsunit/regress/regress-crbug-635798.js
,
Aug 9 2016
,
Aug 10 2016
ClusterFuzz has detected this issue as fixed in range 38490:38491. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6274641087954944 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000007 Crash State: v8::internal::Context::native_context v8::internal::Isolate::get_initial_js_array_map v8::internal::Isolate::IsFastArrayConstructorPrototypeChainIntact Regressed: V8: r38417:38418 Fixed: V8: r38490:38491 Minimized Testcase (8.18 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95vAUTID2VE7U1Q46KpM8BBY2a0A9GH-jGzruAEFlHkCqinDFROe9-lihiBoDkc0r46s8i-5vyQWyXG8Sn3N2JoIA5hjHc1OVXn6_wbnbaGsf-qK6thny4ceP6lwyoVXmy9Ow8beK62stQSU0W9JzKwrlHoag?testcase_id=6274641087954944 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 30 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/864cdc124c55f48740100a4dcaa3b5582040d815 commit 864cdc124c55f48740100a4dcaa3b5582040d815 Author: bmeurer <bmeurer@chromium.org> Date: Tue Aug 30 04:04:01 2016 [test] Speed-up regression test for growing stores. TBR=machenbach@chromium.org BUG= chromium:635798 , chromium:638295 Review-Url: https://codereview.chromium.org/2288813003 Cr-Commit-Position: refs/heads/master@{#38991} [modify] https://crrev.com/864cdc124c55f48740100a4dcaa3b5582040d815/test/mjsunit/regress/regress-crbug-635798.js
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by nyerramilli@chromium.org
, Aug 9 2016Components: Tools>Test>FindIt>NoResult
Labels: findit-wrong Te-Logged
Status: Available (was: Untriaged)