New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 784835 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug-Regression



Sign in to add a comment

page content not display

Reported by witalik3...@gmail.com, Nov 14 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3268.0 Safari/537.36

Example URL:
https://www.myscore.com.ua/draw/OzL13DUt/dt5kKlCH/

Steps to reproduce the problem:
1. open url https://www.myscore.com.ua/draw/OzL13DUt/dt5kKlCH/
2. page is empty
3. on firefox - works well, content display correct

https://www.myscore.com.ua/
click on any link with text: Сетка (right corner on gray bar)

What is the expected behavior?

What went wrong?
page is empty - content not display

Does it occur on multiple sites: N/A

Is it a problem with a plugin? No 

Did this work before? N/A 

Does this work in other browsers? Yes

Chrome version: 64.0.3268.0  Channel: canary
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: 28.0.0.105
 
Cc: divya.pa...@techmahindra.com
Components: Blink>JavaScript
Labels: -Pri-2 -Type-Compat hasbisect-per-revision ReleaseBlock-Stable Triaged-ET Needs-Triage-M64 OS-Linux Pri-1 Type-Bug-Regression
Owner: bmeu...@chromium.org
Able to reproduce this issue on Windows 10, Ubuntu 14.04 with Chrome reported version 64.0.3268.0, latest Canary 64.0.3269.0, latest stable 62.0.3202.94 as per steps mentioned in original comment

Manual Bisect:
-------------
Good build : 64.0.3257.0
bad build :64.0.3258.0

Bisect Tool Info:
----------------
You are probably looking for a change made after 513753 (known good), but no later than 513754 (first known bad).
CHANGELOG URL:
  https://chromium.googlesource.com/chromium/src/+log/0f50f26f8d1969ae6b21c2b2951cc2a3e9e45b27..a5f4544ceef453476ed21e152004866ab565efad

Possible suspect:
----------------
https://chromium-review.googlesource.com/c/v8/v8/+/750089

@Benedikt Meurer, kindly take a look and please help us to reassign this issue to a right owner if not with respect to this change.

Note: Issue is not seen on Mac 10.12.6
Thanks.!
Status: Assigned (was: Unconfirmed)
Status: Started (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, Nov 16 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/3dddc2b50f34a322a0405157f26025e6a511fb1d

commit 3dddc2b50f34a322a0405157f26025e6a511fb1d
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Thu Nov 16 06:56:25 2017

[ic] Properly handle negative indices.

We need to explicitly rule out negative indices for the out-of-bounds
case, otherwise we can end up with a monomorphic KeyedLoadIC that allows
OOB accesses, but doesn't properly check whether there are properties
with negative integer names on the receiver.

Bug:  chromium:784835 
Change-Id: Ic3ef5438b76094f024de0c6348183fb62b32088c
Reviewed-on: https://chromium-review.googlesource.com/774278
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49396}
[modify] https://crrev.com/3dddc2b50f34a322a0405157f26025e6a511fb1d/src/ic/accessor-assembler.cc
[add] https://crrev.com/3dddc2b50f34a322a0405157f26025e6a511fb1d/test/mjsunit/regress/regress-crbug-784835.js

Labels: M-64
Status: Fixed (was: Started)

Sign in to add a comment