Issue 726777 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 726836
Owner:	cbruni@chromium.org
Closed:	May 2017
Cc:	jkummerow@chromium.org ishell@chromium.org
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Reproducible Stability-Memory-AddressSanitizer Clusterfuzz

CHECK failure: nofMappedParameters <= context_object->length() in objects-debug.cc

Project Member Reported by ClusterFuzz, May 26 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6343749881036800

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  nofMappedParameters <= context_object->length() in objects-debug.cc
  v8::internal::SloppyArgumentsElements::SloppyArgumentsElementsVerify
  v8::internal::JSArgumentsObject::JSArgumentsObjectVerify
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6343749881036800


Issue manually filed by: ishell

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ishell@chromium.org, May 27 2017

Cc: ishell@chromium.org jkummerow@chromium.org
Mergedinto: 726836
Owner: cbruni@chromium.org
Status: Duplicate (was: Untriaged)

►

Issue 726777 link

Issue metadata

CHECK failure: nofMappedParameters <= context_object->length() in objects-debug.cc

Issue description

Comment 1 by ishell@chromium.org, May 27 2017

Comment 1 Deleted

Sign in to add a comment