Null-dereference READ in v8::internal::MemoryChunk::InNewSpace |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5796289479704576 Job Type: linux_asan_d8 Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::MemoryChunk::InNewSpace v8::internal::Heap::RecordWrite v8::internal::CopyObjectToObjectElements Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=48861:48862 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5796289479704576 Issue manually filed by: ishell See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 26 2017
Detailed report: https://clusterfuzz.com/testcase?key=5099674775322624 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: IsNumber() in objects-inl.h V8_Dcheck v8::internal::ElementsAccessorBase<v8::internal::DictionaryElementsAccessor, v8: Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=48861:48862 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5099674775322624 See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 26 2017
Detailed report: https://clusterfuzz.com/testcase?key=6683263442878464 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: (copy_size + static_cast<int>(to_start)) <= to_base->length() && (copy_size + st V8_Dcheck v8::internal::CopyObjectToObjectElements Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=48861:48862 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6683263442878464 See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 26 2017
CF points to b590679496e829fd2f88ba4494072f0196c979de.
,
Oct 26 2017
Issue 778441 has been merged into this issue.
,
Oct 26 2017
,
Oct 26 2017
,
Oct 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/7dd261c30ef0fda9298277031d77ba12efab05af commit 7dd261c30ef0fda9298277031d77ba12efab05af Author: Daniel Clifford <danno@chromium.org> Date: Thu Oct 26 14:32:56 2017 Fix Array.protoype.slice bug in argument object handling Bug: chromium:778574 Change-Id: I014b16b9deabab07ca7dfb662ea8cb0dbf9c8987 Reviewed-on: https://chromium-review.googlesource.com/738148 Commit-Queue: Daniel Clifford <danno@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#48975} [modify] https://crrev.com/7dd261c30ef0fda9298277031d77ba12efab05af/src/builtins/builtins-array.cc [modify] https://crrev.com/7dd261c30ef0fda9298277031d77ba12efab05af/src/objects/arguments-inl.h [modify] https://crrev.com/7dd261c30ef0fda9298277031d77ba12efab05af/src/objects/arguments.h [modify] https://crrev.com/7dd261c30ef0fda9298277031d77ba12efab05af/src/runtime/runtime-array.cc [add] https://crrev.com/7dd261c30ef0fda9298277031d77ba12efab05af/test/mjsunit/regress/regress-778574.js
,
Oct 27 2017
,
Oct 27 2017
ClusterFuzz has detected this issue as fixed in range 48974:48975. Detailed report: https://clusterfuzz.com/testcase?key=5796289479704576 Job Type: linux_asan_d8 Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::MemoryChunk::InNewSpace v8::internal::Heap::RecordWrite v8::internal::CopyObjectToObjectElements Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=48861:48862 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=48974:48975 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5796289479704576 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 27 2017
ClusterFuzz has detected this issue as fixed in range 48974:48975. Detailed report: https://clusterfuzz.com/testcase?key=6683263442878464 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: (copy_size + static_cast<int>(to_start)) <= to_base->length() && (copy_size + st V8_Dcheck v8::internal::CopyObjectToObjectElements Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=48861:48862 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=48974:48975 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6683263442878464 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 27 2017
ClusterFuzz testcase 5057868503187456 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 27 2017
Issue 779015 has been merged into this issue.
,
Nov 3 2017
ClusterFuzz testcase 6034059942952960 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Oct 26 2017