str->IsSeqString() || str->IsExternalString() in factory.cc |
||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5858489143656448 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: str->IsSeqString() || str->IsExternalString() in factory.cc Sanitizer: address (ASAN) Regressed: V8: 42192:42193 Minimized Testcase (0.36 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv970lDsfCxxUNKMdwRgiFUxGoafbS4OeiKRWBO77epcUcEnUXIA9ny4L2uT4wJahBvldFjZC0CA1ex6-QCZ9rWfoO85xRzxS7YXMis9n4hlxevuszcCO5_24GTsybmPU8BX8BiFxsTK8r7JDko4W9BjnnJUuXQ-NGXUc2ctfovtiEuPiqW18sX-AA1X1MUncTFOLjtkw0SI34Mu60FK9zA0qcOOSKFBmXW5ceXdNEhYeHW4pr-pay4SEM1xGPpi0G7dQDGAJh1Z7qRQ_QgCw_Fc5xQmIke1IzW-YI4AIp0hlYlFRhMUT37c3fJttY8jdTFZI0lfugnovVAFGQ3RM8INwExf7unfOo-2HxJ3QLLXfyReA9xE?testcase_id=5858489143656448 var __v_2 = 1073741823; var __v_13 = {}; function __f_1(a, b) { var __v_4 = a + b; var __v_1 = __v_4.substring( 20); __v_2[__v_4]; return __v_1; } __v_5 = __f_1("abcdefghijklmnopqrstuvwxyz", "abcdefghijklmnopqrstuvwxyz"); function __f_8(name, input, regexp) { var __v_14 = input.match(regexp); RegExp["$'"]} __f_8("Capture-Global", __v_5, __v_13, []["anama"]); Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/7438304229b57a88f0b9857922f806af32718a80 commit 7438304229b57a88f0b9857922f806af32718a80 Author: jkummerow <jkummerow@chromium.org> Date: Mon Jan 30 18:24:16 2017 ThinStrings: fix Factory::NewProperSubString BUG= chromium:685504 Review-Url: https://codereview.chromium.org/2660823002 Cr-Commit-Position: refs/heads/master@{#42783} [modify] https://crrev.com/7438304229b57a88f0b9857922f806af32718a80/src/factory.cc [add] https://crrev.com/7438304229b57a88f0b9857922f806af32718a80/test/mjsunit/regress/regress-crbug-685504.js
,
Jan 30 2017
,
Jan 31 2017
ClusterFuzz has detected this issue as fixed in range 42782:42783. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5858489143656448 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: str->IsSeqString() || str->IsExternalString() in factory.cc Sanitizer: address (ASAN) Regressed: V8: 42192:42193 Fixed: V8: 42782:42783 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv970lDsfCxxUNKMdwRgiFUxGoafbS4OeiKRWBO77epcUcEnUXIA9ny4L2uT4wJahBvldFjZC0CA1ex6-QCZ9rWfoO85xRzxS7YXMis9n4hlxevuszcCO5_24GTsybmPU8BX8BiFxsTK8r7JDko4W9BjnnJUuXQ-NGXUc2ctfovtiEuPiqW18sX-AA1X1MUncTFOLjtkw0SI34Mu60FK9zA0qcOOSKFBmXW5ceXdNEhYeHW4pr-pay4SEM1xGPpi0G7dQDGAJh1Z7qRQ_QgCw_Fc5xQmIke1IzW-YI4AIp0hlYlFRhMUT37c3fJttY8jdTFZI0lfugnovVAFGQ3RM8INwExf7unfOo-2HxJ3QLLXfyReA9xE?testcase_id=5858489143656448 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||
►
Sign in to add a comment |
||
Comment 1 by mstarzinger@chromium.org
, Jan 26 2017Owner: jkummerow@chromium.org
Status: Assigned (was: Untriaged)