Issue metadata
Sign in to add a comment
|
CHECK failure: fixed_array->IsDictionary() in objects-inl.h |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5514208673529856 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: fixed_array->IsDictionary() in objects-inl.h Sanitizer: address (ASAN) Regressed: V8: 45447:45448 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5514208673529856 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 24 2017
CF complains about your CL: 467b70c97881be4da7993b866f4483b7e44f5e39. PTAL
,
May 24 2017
Yup, I forgot to properly copy over the elements kind / map when copying literal elements.
,
May 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/106226e9c6d320fb60468e3e90d353e788302c5d commit 106226e9c6d320fb60468e3e90d353e788302c5d Author: Camillo Bruni <cbruni@chromium.org> Date: Wed May 24 14:44:13 2017 [literals] Set the proper Map on the elements store for object literals Bug: chromium:725201 Change-Id: Ic75f4080b8ef28e64b471887871c526c0bac316b Reviewed-on: https://chromium-review.googlesource.com/514004 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#45518} [modify] https://crrev.com/106226e9c6d320fb60468e3e90d353e788302c5d/src/builtins/builtins-constructor-gen.cc [add] https://crrev.com/106226e9c6d320fb60468e3e90d353e788302c5d/test/mjsunit/regress/regress-crbug-725201.js
,
May 24 2017
Applying security view restrictions to all v8 CHECK/DCHECK failures. (CHECKs aren't security, but we have no way to distinguish these right now).
,
May 25 2017
,
May 25 2017
,
May 26 2017
ClusterFuzz has detected this issue as fixed in range 45517:45518. Detailed report: https://clusterfuzz.com/testcase?key=5514208673529856 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: fixed_array->IsDictionary() in objects-inl.h v8::internal::JSObject::GetElementsKind HasSloppyArgumentsElements Sanitizer: address (ASAN) Regressed: V8: 45447:45448 Fixed: V8: 45517:45518 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5514208673529856 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 26 2017
ClusterFuzz has detected this issue as fixed in range 45517:45518. Detailed report: https://clusterfuzz.com/testcase?key=6282446386757632 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: fixed_array->IsDictionary() in objects-inl.h v8::internal::JSObject::GetElementsKind v8::internal::JSObject::HasEnumerableElements Sanitizer: address (ASAN) Regressed: V8: 45447:45448 Fixed: V8: 45517:45518 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6282446386757632 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 26 2017
Fixed in https://chromium-review.googlesource.com/c/514004/ and verified.
,
May 26 2017
,
Sep 1 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, May 24 2017