CHECK failure: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()) in objects-i |
|||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6078170360184832 Fuzzer: inferno_js_fuzzer_c Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()) in objects-i Sanitizer: address (ASAN) Regressed: V8: 44701:44702 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6078170360184832 Issue manually filed by: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 26 2017
CF points to 54271c21e2860273abd6018c398b04f672ef2615.
,
May 26 2017
,
May 26 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 26 2017
,
May 26 2017
The console CL just let the tests go further than just hitting undefined reference at the first line. The fix is on the way: https://chromium-review.googlesource.com/c/516626/
,
May 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/fdd8d15155a6e79af686a2b02eb97eaf86a45842 commit fdd8d15155a6e79af686a2b02eb97eaf86a45842 Author: Igor Sheludko <ishell@chromium.org> Date: Fri May 26 15:21:32 2017 [runtime] Remove unnecessary casts of species constructor. ... which caused assertion failures in --enable-slow-asserts mode. The surrounding code treated the constructor value properly so regression test is not necessary. Bug: chromium:726622 Change-Id: Icd43d9117a1125bec8feca8eca5708993de2c3ef Reviewed-on: https://chromium-review.googlesource.com/516626 Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#45543} [modify] https://crrev.com/fdd8d15155a6e79af686a2b02eb97eaf86a45842/src/builtins/builtins-arraybuffer.cc [modify] https://crrev.com/fdd8d15155a6e79af686a2b02eb97eaf86a45842/src/execution.cc [modify] https://crrev.com/fdd8d15155a6e79af686a2b02eb97eaf86a45842/src/execution.h [modify] https://crrev.com/fdd8d15155a6e79af686a2b02eb97eaf86a45842/src/objects.cc [modify] https://crrev.com/fdd8d15155a6e79af686a2b02eb97eaf86a45842/src/objects.h [modify] https://crrev.com/fdd8d15155a6e79af686a2b02eb97eaf86a45842/src/runtime/runtime-regexp.cc
,
May 26 2017
,
May 26 2017
,
May 26 2017
Issue 724615 has been merged into this issue.
,
May 27 2017
ClusterFuzz has detected this issue as fixed in range 45543:45544. Detailed report: https://clusterfuzz.com/testcase?key=4727886732066816 Fuzzer: inferno_js_fuzzer_c Job Type: linux_asan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: map()->is_callable() in objects-debug.cc Sanitizer: address (ASAN) Regressed: V8: 44701:44702 Fixed: V8: 45543:45544 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4727886732066816 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 27 2017
ClusterFuzz has detected this issue as fixed in range 45542:45543. Detailed report: https://clusterfuzz.com/testcase?key=6078170360184832 Fuzzer: inferno_js_fuzzer_c Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()) in objects-i Sanitizer: address (ASAN) Regressed: V8: 44701:44702 Fixed: V8: 45542:45543 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6078170360184832 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 27 2017
,
May 29 2017
Issue 727056 has been merged into this issue.
,
May 29 2017
Issue 727153 has been merged into this issue.
,
May 29 2017
,
May 29 2017
,
Jun 6 2017
,
Jun 6 2017
Your change meets the bar and is auto-approved for M60. Please go ahead and merge the CL to branch 3112 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 7 2017
,
Jun 12 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/a02b68867f5f1c15ca9bfe53955ab9027fb350fb commit a02b68867f5f1c15ca9bfe53955ab9027fb350fb Author: ishell@chromium.org <ishell@chromium.org> Date: Mon Jun 12 15:32:41 2017 Merged: [runtime] Remove unnecessary casts of species constructor. Revision: fdd8d15155a6e79af686a2b02eb97eaf86a45842 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=jkummerow@chromium.org Bug: chromium:726622 Change-Id: I3467e664560ac6a65cfb2cf382a35eaf021ebba6 Reviewed-on: https://chromium-review.googlesource.com/531365 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/branch-heads/6.0@{#27} Cr-Branched-From: 97dbf624a5eeffb3a8df36d24cdb2a883137385f-refs/heads/6.0.286@{#1} Cr-Branched-From: 12e6f1cb5cd9616da7b9d4a7655c088778a6d415-refs/heads/master@{#45439} [modify] https://crrev.com/a02b68867f5f1c15ca9bfe53955ab9027fb350fb/src/builtins/builtins-arraybuffer.cc [modify] https://crrev.com/a02b68867f5f1c15ca9bfe53955ab9027fb350fb/src/execution.cc [modify] https://crrev.com/a02b68867f5f1c15ca9bfe53955ab9027fb350fb/src/execution.h [modify] https://crrev.com/a02b68867f5f1c15ca9bfe53955ab9027fb350fb/src/objects.cc [modify] https://crrev.com/a02b68867f5f1c15ca9bfe53955ab9027fb350fb/src/objects.h [modify] https://crrev.com/a02b68867f5f1c15ca9bfe53955ab9027fb350fb/src/runtime/runtime-regexp.cc
,
Jun 15 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 16 2017
Already merged.
,
Jul 6 2017
,
Jul 14 2017
ClusterFuzz testcase 5407365456461824 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Jul 17 2017
I rerun a redo and according to https://bugs.chromium.org/p/chromium/issues/detail?id=727153#c2 the issue is still fixed.
,
Jul 17 2017
Looks like something weird happened with testcase doing fixed testing. redo shows it is indeed fixed.
,
Sep 2 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by ClusterFuzz
, May 26 2017