static_cast<uint32_t>(dict->NumberOfElements()) <= size in objects-debug.cc |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5754855756136448 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: static_cast<uint32_t>(dict->NumberOfElements()) <= size in objects-debug.cc Regressed: V8: r40968:40969 Minimized Testcase (2.35 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94YTG5AQd3J06qo-6Wh4n_lC1k9z8w-gslYyRrQWFGcxlRUYEjH2-kGScR0uC-nhCJoRVsvwHkXfqTrSUZJN-aenkyjOXCdDh0tzb-sdze72_pgZIELscEMWN_3_r07hC2-pQtfQA1qwsM1UBCD7qcZD8XU9g?testcase_id=5754855756136448 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/3a91f8af1aaa096c7042e2f4105802badf7dab3e commit 3a91f8af1aaa096c7042e2f4105802badf7dab3e Author: cbruni <cbruni@chromium.org> Date: Tue Nov 15 16:09:25 2016 [heap-verify] Allow for temporary invalid array length for slow elements R=jkummerow@chromium.org BUG= chromium:665112 Review-Url: https://codereview.chromium.org/2501303002 Cr-Commit-Position: refs/heads/master@{#41002} [modify] https://crrev.com/3a91f8af1aaa096c7042e2f4105802badf7dab3e/src/objects-debug.cc
,
Nov 18 2016
ClusterFuzz has detected this issue as fixed in range 41001:41002. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5754855756136448 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: static_cast<uint32_t>(dict->NumberOfElements()) <= size in objects-debug.cc Regressed: V8: r40968:40969 Fixed: V8: r41001:41002 Minimized Testcase (2.35 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94YTG5AQd3J06qo-6Wh4n_lC1k9z8w-gslYyRrQWFGcxlRUYEjH2-kGScR0uC-nhCJoRVsvwHkXfqTrSUZJN-aenkyjOXCdDh0tzb-sdze72_pgZIELscEMWN_3_r07hC2-pQtfQA1qwsM1UBCD7qcZD8XU9g?testcase_id=5754855756136448 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/3a91f8af1aaa096c7042e2f4105802badf7dab3e commit 3a91f8af1aaa096c7042e2f4105802badf7dab3e Author: cbruni <cbruni@chromium.org> Date: Tue Nov 15 16:09:25 2016 [heap-verify] Allow for temporary invalid array length for slow elements R=jkummerow@chromium.org BUG= chromium:665112 Review-Url: https://codereview.chromium.org/2501303002 Cr-Commit-Position: refs/heads/master@{#41002} [modify] https://crrev.com/3a91f8af1aaa096c7042e2f4105802badf7dab3e/src/objects-debug.cc
,
Nov 18 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mmohammad@chromium.org
, Nov 14 2016Owner: cbruni@chromium.org
Status: Assigned (was: Untriaged)