Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6491632422879232 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: v8::internal::Factory::NewTuple2 v8::internal::PropertyICCompiler::CompileKeyedStoreMonomorphicHandler v8::internal::PropertyICCompiler::ComputeKeyedStoreMonomorphicHandler Regressed: V8: r41331:41332 Minimized Testcase (0.12 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97vn00FCzDJ6BwTaHLXysh33Ay0EcTym3IdHZQWYjHpBwMCqXtPMbzAgd_72G3au323cQVa_sOwtlEYP1GfuLrmVXu5k-kPlJUQfKdHsrLA_Y-hNGjClSNm5E-wjVNxpo9B8aFDK2EmJSTws_JcAxBVUBR8xg?testcase_id=6491632422879232 __v_4 = Object.create(null, { f4: {value: 4} }); function __f_2(a) { a[5000000] = 256; } __v_2 = __v_4; __f_2(__v_2); Issue manually filed by: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Regression range points to a39522f44f7e0be4686831688917e9675255dcaf.
Issue 669353 has been merged into this issue.
ClusterFuzz has detected this issue as fixed in range 41336:41337. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6491632422879232 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: v8::internal::Factory::NewTuple2 v8::internal::PropertyICCompiler::CompileKeyedStoreMonomorphicHandler v8::internal::PropertyICCompiler::ComputeKeyedStoreMonomorphicHandler Regressed: V8: r41331:41332 Fixed: V8: r41336:41337 Minimized Testcase (0.12 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97vn00FCzDJ6BwTaHLXysh33Ay0EcTym3IdHZQWYjHpBwMCqXtPMbzAgd_72G3au323cQVa_sOwtlEYP1GfuLrmVXu5k-kPlJUQfKdHsrLA_Y-hNGjClSNm5E-wjVNxpo9B8aFDK2EmJSTws_JcAxBVUBR8xg?testcase_id=6491632422879232 __v_4 = Object.create(null, { f4: {value: 4} }); function __f_2(a) { a[5000000] = 256; } __v_2 = __v_4; __f_2(__v_2); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c commit 39e6f2ca4a2bdc39bd0291db944f0728bd527c5c Author: ishell <ishell@chromium.org> Date: Fri Dec 02 10:03:18 2016 [ic] Use validity cells to protect keyed element stores against object's prototype chain modifications. ... instead of clearing of all the KeyedStoreICs which didn't always work. BUG= chromium:662907 , chromium:669411 , v8:5561 TBR=verwaest@chromium.org, bmeurer@chromium.org Committed: https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf Review-Url: https://codereview.chromium.org/2534613002 Cr-Original-Commit-Position: refs/heads/master@{#41332} Cr-Commit-Position: refs/heads/master@{#41449} [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/include/v8.h [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ast/ast-types.cc [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/builtins/builtins-array.cc [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/code-stub-assembler.h [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/compiler/types.cc [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/elements.cc [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/factory.cc [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/factory.h [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ic/accessor-assembler-impl.h [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ic/accessor-assembler.cc [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ic/ic-compiler.cc [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ic/ic-compiler.h [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ic/ic-inl.h [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ic/ic.cc [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ic/ic.h [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/lookup.cc [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/objects-debug.cc [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/objects-inl.h [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/objects-printer.cc [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/objects.cc [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/objects.h [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/type-feedback-vector.cc [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/type-feedback-vector.h [modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/value-serializer.cc [add] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/test/mjsunit/regress/regress-crbug-662907.js [add] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/test/mjsunit/regress/regress-crbug-669411.js
Comment 1 by mstarzinger@chromium.org
, Nov 29 2016Owner: ishell@chromium.org
Status: Assigned (was: Untriaged)