Issue metadata
Sign in to add a comment
|
DCHECK failure in size <= SeqOneByteString::kMaxSize in heap.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6138077579051008 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: size <= SeqOneByteString::kMaxSize in heap.cc v8::internal::Heap::AllocateRawOneByteString v8::internal::Factory::NewRawOneByteString Sanitizer: address (ASAN) Regressed: V8: 46837:46838 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6138077579051008 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 6 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 6 2017
,
Aug 7 2017
Regression range points to e8c9649e2570c7e278e70a6584738a3c3f828b2b.
,
Aug 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/06f5f84656b9b976dedbca75b0d1c223c4d32709 commit 06f5f84656b9b976dedbca75b0d1c223c4d32709 Author: Peter Marshall <petermarshall@chromium.org> Date: Wed Aug 09 14:48:54 2017 [runtime] Align Seq{One,Two}ByteString::kMaxSize. Because SizeFor only returns aligned values, when we check values returned there against kMaxSize, they can be larger if they were rounded up. It wasn't possible to write a test for the 2-byte version that didn't regularly OOM. Bug: chromium:752764 Change-Id: Id2f387449e0fafe633a2fde1ac728be31487f62d Reviewed-on: https://chromium-review.googlesource.com/607935 Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#47252} [modify] https://crrev.com/06f5f84656b9b976dedbca75b0d1c223c4d32709/src/objects/string.h [modify] https://crrev.com/06f5f84656b9b976dedbca75b0d1c223c4d32709/test/mjsunit/mjsunit.status [add] https://crrev.com/06f5f84656b9b976dedbca75b0d1c223c4d32709/test/mjsunit/regress/regress-752764.js
,
Aug 10 2017
ClusterFuzz has detected this issue as fixed in range 47251:47252. Detailed report: https://clusterfuzz.com/testcase?key=6138077579051008 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: size <= SeqOneByteString::kMaxSize in heap.cc v8::internal::Heap::AllocateRawOneByteString v8::internal::Factory::NewRawOneByteString Sanitizer: address (ASAN) Regressed: V8: 46837:46838 Fixed: V8: 47251:47252 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6138077579051008 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 10 2017
,
Aug 10 2017
ClusterFuzz testcase 6138077579051008 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 10 2017
,
Oct 5 2017
,
Nov 16 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Aug 6 2017