New issue
Advanced search Search tips

Issue 679882 link

Starred by 1 user
Status: Verified
Owner:
jkummerow@chromium.org
Closed: Jan 2017
Cc:
ishell@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

object->IsAbstractCode() || object->IsSeqString() || object->IsExternalString()

Project Member Reported by ClusterFuzz, Jan 10 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4960202035298304

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  object->IsAbstractCode() || object->IsSeqString() || object->IsExternalString() 
  
Sanitizer: address (ASAN)

Regressed: V8: r42192:42193

Minimized Testcase (0.20 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97AnhU5bPHhUrnU-9SppnVqElJdChivcPDnj0nbOdgCNH9RJ-FWcQUyOHZVMwfJBC0E44bzO-n9bkm3esFD5nK4XO37AFvZOQjOKRg4VmErL_DbTqTJtifgjpY78baACLTKvEKVnBm_hVVhAoaide2RFNSY9Hj3FSV1HwuQ-J5sBC-8XNcv-LT1NNFCZJ26oYpWDCR2LDzOfgId4eiIqiRlPSY3zuYpp42mYZw0lbqEcFCdzhmcJ_2wWzkuCxyCJ7CaCJxmgnI-JwhaTAUn11-9jU2FHNJgzw9B8ZQpkp5TStWi84z5sKk9yp3ZMn-XzXBr78h7y2lkPDzkKFaYftey-2ibmmMSc0HUlLmD8MisrQl77HeFkbmOwxfNH0HgMykxMYJ4unAcd9W0qh2ReyHBtIr69g?testcase_id=4960202035298304
__v_0 = 100000;
__v_1 = new Array();
for (var __v_2 = 0; __v_2 < __v_0; __v_2++) {
  __v_1[__v_2] = 0.5;
}
__v_2 = {
  [__v_1]: "bar"}
function __f_1(obj, key) {
  return obj[key];
}
 __f_1(__v_2, __v_1);


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ishell@chromium.org, Jan 11 2017

Cc: ishell@chromium.org
Owner: jkummerow@chromium.org
Status: Assigned (was: Untriaged)
PTAL. CF points to 4c699e349a4986b28574b3a51e8780e3a3d067b1.
Project Member

Comment 2 by ClusterFuzz, Jan 13 2017 

ClusterFuzz has detected this issue as fixed in range 42270:42271.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4960202035298304

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  object->IsAbstractCode() || object->IsSeqString() || object->IsExternalString() 
  
Sanitizer: address (ASAN)

Regressed: V8: r42192:42193
Fixed: V8: r42270:42271

Minimized Testcase (0.20 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97AnhU5bPHhUrnU-9SppnVqElJdChivcPDnj0nbOdgCNH9RJ-FWcQUyOHZVMwfJBC0E44bzO-n9bkm3esFD5nK4XO37AFvZOQjOKRg4VmErL_DbTqTJtifgjpY78baACLTKvEKVnBm_hVVhAoaide2RFNSY9Hj3FSV1HwuQ-J5sBC-8XNcv-LT1NNFCZJ26oYpWDCR2LDzOfgId4eiIqiRlPSY3zuYpp42mYZw0lbqEcFCdzhmcJ_2wWzkuCxyCJ7CaCJxmgnI-JwhaTAUn11-9jU2FHNJgzw9B8ZQpkp5TStWi84z5sKk9yp3ZMn-XzXBr78h7y2lkPDzkKFaYftey-2ibmmMSc0HUlLmD8MisrQl77HeFkbmOwxfNH0HgMykxMYJ4unAcd9W0qh2ReyHBtIr69g?testcase_id=4960202035298304
__v_0 = 100000;
__v_1 = new Array();
for (var __v_2 = 0; __v_2 < __v_0; __v_2++) {
  __v_1[__v_2] = 0.5;
}
__v_2 = {
  [__v_1]: "bar"}
function __f_1(obj, key) {
  return obj[key];
}
 __f_1(__v_2, __v_1);


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by ClusterFuzz, Jan 13 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4960202035298304 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 4 by jkummerow@chromium.org, Jan 18 2017 

The CHECK just needs updating. Fixed in patch set 23 of the reland at https://codereview.chromium.org/2549773002 .

Sign in to add a comment