size <= kMaxRegularHeapObjectSize in runtime-internal.cc |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5981425976475648 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: size <= kMaxRegularHeapObjectSize in runtime-internal.cc Regressed: V8: r39561:39562 Minimized Testcase (0.27 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv969X0niAqHZmDAriF3NISmb1JierR_4wykqdrrLb4AfU8V8mRN3JYBz1ZCPIAitMWcfwQ21bQ1iQNa5lVMCEN8ZwIXGau-aZ5qYcy9JOdtYUBoo4fsiLWSHTzftdbyGxSAKKUAaEPmzg5jJJQjOUCueJdoCHg?testcase_id=5981425976475648 __v_5 = eval; function __f_0(size) { var __v_0 = "function f(x) {" + " if (x > 0) return ["; for (var __v_3 = 0; __v_3 < size; __v_3++) { __v_0 += "0.1, "; } __v_0 += " ];" + "}"; __v_5(__v_0); } __v_4 = 65535; __f_0(__v_4); f(1); f(1); Issue manually filed by: titzer See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 12 2016
,
Dec 13 2016
Related to issue 635664 . Simplified and cleaned up repro case ... // Copyright 2016 the V8 project authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // Generate a function {f} containing a large array literal of doubles. eval("function f() { return [" + String("0.1,").repeat(65535) + "] }"); // Running the function once will initialize the boilerplate. assertEquals(65535, f().length); // Running the function again will perform cloning. assertEquals(65535, f().length);
,
Dec 13 2016
I'll grab this for a hot minute. :-)
,
Dec 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6c620e531268ca6dcdb858a75cc75c68e6b2a44b commit 6c620e531268ca6dcdb858a75cc75c68e6b2a44b Author: mstarzinger <mstarzinger@chromium.org> Date: Thu Dec 15 10:29:47 2016 Fix usage of literal cloning for large double arrays. This fixes a corner case where the {FastCloneShallowArrayStub} was used for literals that are backed by a double backing store and would exceed limits for new-space allocations on 32-bit architectures. The stub in question does not support such literals, callers must use the runtime. Note that this fix is for Ignition as well as FullCodeGenerator. R=rmcilroy@chromium.org TEST=mjsunit/regress/regress-crbug-672792 BUG= chromium:672792 Review-Url: https://codereview.chromium.org/2570843002 Cr-Commit-Position: refs/heads/master@{#41713} [modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/ast/ast.cc [modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/ast/ast.h [modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/code-stubs.cc [modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/code-stubs.h [modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/compiler/js-create-lowering.cc [modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/compiler/js-generic-lowering.cc [modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/crankshaft/hydrogen.cc [modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/full-codegen/full-codegen.cc [modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/interpreter/bytecode-generator.cc [add] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/test/mjsunit/regress/regress-crbug-672792.js
,
Dec 15 2016
,
Dec 16 2016
ClusterFuzz has detected this issue as fixed in range 41712:41713. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5981425976475648 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: size <= kMaxRegularHeapObjectSize in runtime-internal.cc Regressed: V8: r39561:39562 Fixed: V8: r41712:41713 Minimized Testcase (0.27 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv969X0niAqHZmDAriF3NISmb1JierR_4wykqdrrLb4AfU8V8mRN3JYBz1ZCPIAitMWcfwQ21bQ1iQNa5lVMCEN8ZwIXGau-aZ5qYcy9JOdtYUBoo4fsiLWSHTzftdbyGxSAKKUAaEPmzg5jJJQjOUCueJdoCHg?testcase_id=5981425976475648 __v_5 = eval; function __f_0(size) { var __v_0 = "function f(x) {" + " if (x > 0) return ["; for (var __v_3 = 0; __v_3 < size; __v_3++) { __v_0 += "0.1, "; } __v_0 += " ];" + "}"; __v_5(__v_0); } __v_4 = 65535; __f_0(__v_4); f(1); f(1); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by titzer@chromium.org
, Dec 9 2016