CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSObject()) in objects-inl |
||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5780792556126208 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSObject()) in objects-inl Sanitizer: address (ASAN) Regressed: V8: 44303:44304 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95fAShLB9tDCYwAYzENICoi5_D6qvpw-IESbmyUnD8TbUZrRaKU2SCQe6O_HbwZYIvAqaI42-E71hAoXbDyJDa4e6lATgRai6HIbkm2Kb--o84tZkt56ulscT99ZdbqQGIzUoRmnSAeqgGrz7f5jyXixDUaqLRjFi2iZqqHBTvqiHTg2pePKmMOxvMj9GH1NsylhCkuEjS7sLMdZi9s-GyexcTuo04NlqHjRPGzGrHUzzkojcQcz3m_iUoP0_tURyGHbvhF4IfYZYqTOwNtlUcFKkCTrG9yIR3qqrYNXBYd7A1n2ureVcSkUqWea07EP_Gnbv3upNcfb4ZKkkpIgSWOhYshSUyUIEOCSX7qtR-Gj4s98rjfV4Hx9-ep42W_w2ILGdB7QqfXRXyrmgpJJWHtD4NHZQ?testcase_id=5780792556126208 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e00dd8ebe1da17f9e85d9b85fa063266cab379e1 commit e00dd8ebe1da17f9e85d9b85fa063266cab379e1 Author: Peter Marshall <petermarshall@chromium.org> Date: Mon Apr 10 15:37:11 2017 [runtime] Filter out non-JSObject prototypes when eliding iteration. We assumed that every JSArray would have a JSObject as a prototype, but it could be null, in which case we bail out to slow path. Also rename spread_array variable here, because this fast-path isn't just used by spreads anymore. Bug: chromium:707675 Change-Id: I8045d83977735dd00c3ebde2e0704f6b04afdedd Reviewed-on: https://chromium-review.googlesource.com/472907 Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#44531} [modify] https://crrev.com/e00dd8ebe1da17f9e85d9b85fa063266cab379e1/src/objects.cc [add] https://crrev.com/e00dd8ebe1da17f9e85d9b85fa063266cab379e1/test/mjsunit/regress/regress-707675.js
,
Apr 11 2017
ClusterFuzz has detected this issue as fixed in range 44530:44531. Detailed report: https://clusterfuzz.com/testcase?key=5780792556126208 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSObject()) in objects-inl Sanitizer: address (ASAN) Regressed: V8: 44303:44304 Fixed: V8: 44530:44531 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95fAShLB9tDCYwAYzENICoi5_D6qvpw-IESbmyUnD8TbUZrRaKU2SCQe6O_HbwZYIvAqaI42-E71hAoXbDyJDa4e6lATgRai6HIbkm2Kb--o84tZkt56ulscT99ZdbqQGIzUoRmnSAeqgGrz7f5jyXixDUaqLRjFi2iZqqHBTvqiHTg2pePKmMOxvMj9GH1NsylhCkuEjS7sLMdZi9s-GyexcTuo04NlqHjRPGzGrHUzzkojcQcz3m_iUoP0_tURyGHbvhF4IfYZYqTOwNtlUcFKkCTrG9yIR3qqrYNXBYd7A1n2ureVcSkUqWea07EP_Gnbv3upNcfb4ZKkkpIgSWOhYshSUyUIEOCSX7qtR-Gj4s98rjfV4Hx9-ep42W_w2ILGdB7QqfXRXyrmgpJJWHtD4NHZQ?testcase_id=5780792556126208 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 11 2017
|
||
►
Sign in to add a comment |
||
Comment 1 by mstarzinger@chromium.org
, Apr 10 2017Owner: petermarshall@chromium.org
Status: Assigned (was: Untriaged)