object->IsAbstractCode() || object->IsSeqString() || object->IsExternalString() |
||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4960202035298304 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: object->IsAbstractCode() || object->IsSeqString() || object->IsExternalString() Sanitizer: address (ASAN) Regressed: V8: r42192:42193 Minimized Testcase (0.20 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97AnhU5bPHhUrnU-9SppnVqElJdChivcPDnj0nbOdgCNH9RJ-FWcQUyOHZVMwfJBC0E44bzO-n9bkm3esFD5nK4XO37AFvZOQjOKRg4VmErL_DbTqTJtifgjpY78baACLTKvEKVnBm_hVVhAoaide2RFNSY9Hj3FSV1HwuQ-J5sBC-8XNcv-LT1NNFCZJ26oYpWDCR2LDzOfgId4eiIqiRlPSY3zuYpp42mYZw0lbqEcFCdzhmcJ_2wWzkuCxyCJ7CaCJxmgnI-JwhaTAUn11-9jU2FHNJgzw9B8ZQpkp5TStWi84z5sKk9yp3ZMn-XzXBr78h7y2lkPDzkKFaYftey-2ibmmMSc0HUlLmD8MisrQl77HeFkbmOwxfNH0HgMykxMYJ4unAcd9W0qh2ReyHBtIr69g?testcase_id=4960202035298304 __v_0 = 100000; __v_1 = new Array(); for (var __v_2 = 0; __v_2 < __v_0; __v_2++) { __v_1[__v_2] = 0.5; } __v_2 = { [__v_1]: "bar"} function __f_1(obj, key) { return obj[key]; } __f_1(__v_2, __v_1); Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 13 2017
ClusterFuzz has detected this issue as fixed in range 42270:42271. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4960202035298304 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: object->IsAbstractCode() || object->IsSeqString() || object->IsExternalString() Sanitizer: address (ASAN) Regressed: V8: r42192:42193 Fixed: V8: r42270:42271 Minimized Testcase (0.20 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97AnhU5bPHhUrnU-9SppnVqElJdChivcPDnj0nbOdgCNH9RJ-FWcQUyOHZVMwfJBC0E44bzO-n9bkm3esFD5nK4XO37AFvZOQjOKRg4VmErL_DbTqTJtifgjpY78baACLTKvEKVnBm_hVVhAoaide2RFNSY9Hj3FSV1HwuQ-J5sBC-8XNcv-LT1NNFCZJ26oYpWDCR2LDzOfgId4eiIqiRlPSY3zuYpp42mYZw0lbqEcFCdzhmcJ_2wWzkuCxyCJ7CaCJxmgnI-JwhaTAUn11-9jU2FHNJgzw9B8ZQpkp5TStWi84z5sKk9yp3ZMn-XzXBr78h7y2lkPDzkKFaYftey-2ibmmMSc0HUlLmD8MisrQl77HeFkbmOwxfNH0HgMykxMYJ4unAcd9W0qh2ReyHBtIr69g?testcase_id=4960202035298304 __v_0 = 100000; __v_1 = new Array(); for (var __v_2 = 0; __v_2 < __v_0; __v_2++) { __v_1[__v_2] = 0.5; } __v_2 = { [__v_1]: "bar"} function __f_1(obj, key) { return obj[key]; } __f_1(__v_2, __v_1); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 13 2017
ClusterFuzz testcase 4960202035298304 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 18 2017
The CHECK just needs updating. Fixed in patch set 23 of the reland at https://codereview.chromium.org/2549773002 . |
||
►
Sign in to add a comment |
||
Comment 1 by ishell@chromium.org
, Jan 11 2017Owner: jkummerow@chromium.org
Status: Assigned (was: Untriaged)