CHECK failure: cell->value()->IsTheHole(isolate) in objects.cc |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6704641531445248 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: cell->value()->IsTheHole(isolate) in objects.cc Sanitizer: address (ASAN) Regressed: V8: 43887:43888 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94rfvqbzUXjtYg-tV-GqaZGH7g0jkfMxR859Xzr55yEZInxyr_4H4FUkaccbpPijm-nKp1huD9rFT4lPT9NbnB22Yf7mZHvC_cVtkFzxGxoMyqn9YRjKDy3eWY1hf7ohJ1LnzJtPM6GG2sNelZFTzhVFNu_1JQeVFXqKXtWKSCaub7zE9UIMayqybMT3n652M00EH2wbgn9SlRwhoD5My5vaCniRtRyqRdERvBd03Um5R1vyLkkkyCVI0RsfK4FpJxPOnrgskNlbN8Jk8rYG7RTWQ0VdRlJWNeVV9ZeMCV6W-QV-TRn1c2iX18oDVr1WhadFku3CjkSuEEn8buTxVUciF9-EH-7dV2N-8ALK9NGkpNKYMPpZuqoHhm4ljV2Lmpoyck29Uu3rn5iH2YhuCwzBD4ddw?testcase_id=6704641531445248 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 20 2017
Regression range points to 162553a12a74bd2040a562220e5b3c2611278cbb.
,
Mar 20 2017
,
Mar 20 2017
Issue 702635 has been merged into this issue.
,
Mar 20 2017
,
Mar 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6f52dfd7f068dea2342202c67f21e2970f226a1c commit 6f52dfd7f068dea2342202c67f21e2970f226a1c Author: Toon Verwaest <verwaest@chromium.org> Date: Mon Mar 20 13:55:33 2017 [ic] Fix 'prototype chain checks' where the holder is the receiver We use LoadFromPrototype also for direct global loads. InitPrototypeChecks did not support this though, and would create a prototype chain check for objects beyond the direct global. This tries to ensure the property on the global itself doesn't exist, which is invalid. Additionally this CL deletes duplicate code. BUG= chromium:702798 ,v8:5561 Change-Id: I318a5b6cd5f7c3efdb3a003e34edd37d5d3f880b Reviewed-on: https://chromium-review.googlesource.com/457369 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#43935} [modify] https://crrev.com/6f52dfd7f068dea2342202c67f21e2970f226a1c/src/ic/ic.cc [add] https://crrev.com/6f52dfd7f068dea2342202c67f21e2970f226a1c/test/mjsunit/regress/regress-crbug-702798.js
,
Mar 21 2017
ClusterFuzz has detected this issue as fixed in range 43934:43935. Detailed report: https://clusterfuzz.com/testcase?key=6704641531445248 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: cell->value()->IsTheHole(isolate) in objects.cc Sanitizer: address (ASAN) Regressed: V8: 43887:43888 Fixed: V8: 43934:43935 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94rfvqbzUXjtYg-tV-GqaZGH7g0jkfMxR859Xzr55yEZInxyr_4H4FUkaccbpPijm-nKp1huD9rFT4lPT9NbnB22Yf7mZHvC_cVtkFzxGxoMyqn9YRjKDy3eWY1hf7ohJ1LnzJtPM6GG2sNelZFTzhVFNu_1JQeVFXqKXtWKSCaub7zE9UIMayqybMT3n652M00EH2wbgn9SlRwhoD5My5vaCniRtRyqRdERvBd03Um5R1vyLkkkyCVI0RsfK4FpJxPOnrgskNlbN8Jk8rYG7RTWQ0VdRlJWNeVV9ZeMCV6W-QV-TRn1c2iX18oDVr1WhadFku3CjkSuEEn8buTxVUciF9-EH-7dV2N-8ALK9NGkpNKYMPpZuqoHhm4ljV2Lmpoyck29Uu3rn5iH2YhuCwzBD4ddw?testcase_id=6704641531445248 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||
►
Sign in to add a comment |
|||
Comment 1 by mummare...@chromium.org
, Mar 17 2017