Detailed report: https://clusterfuzz.com/testcase?key=6282446386757632

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  fixed_array->IsDictionary() in objects-inl.h
  v8::internal::JSObject::GetElementsKind
  v8::internal::JSObject::HasEnumerableElements
  
Sanitizer: address (ASAN)

Regressed: V8: 45447:45448

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6282446386757632


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

CF complains about your CL: 467b70c97881be4da7993b866f4483b7e44f5e39. PTAL

Yup, I forgot to properly copy over the elements kind / map when copying literal elements.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/106226e9c6d320fb60468e3e90d353e788302c5d

commit 106226e9c6d320fb60468e3e90d353e788302c5d
Author: Camillo Bruni <cbruni@chromium.org>
Date: Wed May 24 14:44:13 2017

[literals] Set the proper Map on the elements store for object literals

Bug:  chromium:725201 
Change-Id: Ic75f4080b8ef28e64b471887871c526c0bac316b
Reviewed-on: https://chromium-review.googlesource.com/514004
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45518}
[modify] https://crrev.com/106226e9c6d320fb60468e3e90d353e788302c5d/src/builtins/builtins-constructor-gen.cc
[add] https://crrev.com/106226e9c6d320fb60468e3e90d353e788302c5d/test/mjsunit/regress/regress-crbug-725201.js

Applying security view restrictions to all v8 CHECK/DCHECK failures.

(CHECKs aren't security, but we have no way to distinguish these right now).

ClusterFuzz has detected this issue as fixed in range 45517:45518.

Detailed report: https://clusterfuzz.com/testcase?key=5514208673529856

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  fixed_array->IsDictionary() in objects-inl.h
  v8::internal::JSObject::GetElementsKind
  HasSloppyArgumentsElements
  
Sanitizer: address (ASAN)

Regressed: V8: 45447:45448
Fixed: V8: 45517:45518

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5514208673529856


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 45517:45518.

Detailed report: https://clusterfuzz.com/testcase?key=6282446386757632

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  fixed_array->IsDictionary() in objects-inl.h
  v8::internal::JSObject::GetElementsKind
  v8::internal::JSObject::HasEnumerableElements
  
Sanitizer: address (ASAN)

Regressed: V8: 45447:45448
Fixed: V8: 45517:45518

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6282446386757632


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Fixed in https://chromium-review.googlesource.com/c/514004/ and verified.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot