New issue
Advanced search Search tips

Issue 681304 link

Starred by 2 users
Status: Duplicate
Merged: issue 681171
Owner:
neis@chromium.org
Closed: Jan 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

object->map()->IsMap() in heap-inl.h

Project Member Reported by ClusterFuzz, Jan 14 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6364120476811264

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  object->map()->IsMap() in heap-inl.h
  
Sanitizer: address (ASAN)

Regressed: V8: r42333:42334

Minimized Testcase (0.24 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Z3hl7k6Gm8y2DE4kFkdItShGF2EJXtIl8Y41bjlcMNpnN_Ga-FYs2Y4xWxqNqXYubrZ_2Hi_KINtqVmwSXHBi-idaNbpLSCTKZkHkOLoDrO1QJPldXnlBhIkhMW4-ZvhsGO-caQ1SZWEmmVAmn7LE2hrNKf5ucdLzjnNE7UlHA5DUEZU-PQJBUdRhJm09MU3oexqCNIlX4gidbx6p2DoCjh1g3X9-Wr6Uu77mmGuRCjkECTVQpA8VDlej9dO2ez-OZOImSW3aH34EqIyCiVJSoAknbJIu_1IhTb5TKOgea-QO4YWb_U0gdoWQRwdhX9TQ5QYQWqvOuFjJrc1Klrvd-pd0Wgjmqdk0XqUb8dm1efZIMrw?testcase_id=6364120476811264
function __f_0() {
}
try {
( {
})();
} catch(e) {"Caught: " + e; }
function __f_4() {
}
(function __f_5() {
  var __v_0 = {
    *['a']() {
      yield 2;
    }
  };
  var __v_3 = __v_0.a();
 __v_3.next();
})();
try {
( {
})()();
} catch(e) {; }


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by hablich@chromium.org, Jan 16 2017

Owner: neis@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by neis@chromium.org, Jan 17 2017

Mergedinto: 681171
Status: Duplicate (was: Assigned)
Project Member

Comment 3 by ClusterFuzz, Jan 18 2017 

ClusterFuzz has detected this issue as fixed in range 42406:42407.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6364120476811264

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  object->map()->IsMap() in heap-inl.h
  
Sanitizer: address (ASAN)

Regressed: V8: r42333:42334
Fixed: V8: r42406:42407

Minimized Testcase (0.24 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Z3hl7k6Gm8y2DE4kFkdItShGF2EJXtIl8Y41bjlcMNpnN_Ga-FYs2Y4xWxqNqXYubrZ_2Hi_KINtqVmwSXHBi-idaNbpLSCTKZkHkOLoDrO1QJPldXnlBhIkhMW4-ZvhsGO-caQ1SZWEmmVAmn7LE2hrNKf5ucdLzjnNE7UlHA5DUEZU-PQJBUdRhJm09MU3oexqCNIlX4gidbx6p2DoCjh1g3X9-Wr6Uu77mmGuRCjkECTVQpA8VDlej9dO2ez-OZOImSW3aH34EqIyCiVJSoAknbJIu_1IhTb5TKOgea-QO4YWb_U0gdoWQRwdhX9TQ5QYQWqvOuFjJrc1Klrvd-pd0Wgjmqdk0XqUb8dm1efZIMrw?testcase_id=6364120476811264
function __f_0() {
}
try {
( {
})();
} catch(e) {"Caught: " + e; }
function __f_4() {
}
(function __f_5() {
  var __v_0 = {
    *['a']() {
      yield 2;
    }
  };
  var __v_3 = __v_0.a();
 __v_3.next();
})();
try {
( {
})()();
} catch(e) {; }


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment