Issue metadata
Sign in to add a comment
|
DCHECK failure in nod == removed_holes_index in objects.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5982243268067328 Fuzzer: ochang_js_fuzzer Job Type: linux_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: nod == removed_holes_index in objects.cc Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=49342:49343 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5982243268067328 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 15 2017
Thanks, reduced repro: const xs = [, 1, 2, 3, 4]; assertThrows(() => new Set(xs));
,
Nov 15 2017
The issue seems to be in the new fast path for fast JSArrays args, where we read directly from the FixedArray backing store instead of going through the iterator. We're missing a hole-to-undefined translation there and thus can end up writing holes into the collection backing store, which is a bug. Another problem is that we can end up trying to alloc a HeapNumber with the hole as the value.
,
Nov 15 2017
I'm looking at this now, and should have a fix shortly.
,
Nov 15 2017
Fix in flight: https://chromium-review.googlesource.com/c/v8/v8/+/771387
,
Nov 15 2017
,
Nov 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/007203abd05604728e12650813a67a13e71004a2 commit 007203abd05604728e12650813a67a13e71004a2 Author: peterwmwong <peter.wm.wong@gmail.com> Date: Thu Nov 16 06:59:25 2017 [collections] Handle holes in collection constructor fast paths Bug: chromium:784990 Change-Id: I08c10ec706ccaba765edc7322dc92374863b8a7a Reviewed-on: https://chromium-review.googlesource.com/771387 Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#49397} [modify] https://crrev.com/007203abd05604728e12650813a67a13e71004a2/src/builtins/builtins-collections-gen.cc [add] https://crrev.com/007203abd05604728e12650813a67a13e71004a2/test/mjsunit/regress/regress-784990.js
,
Nov 16 2017
,
Nov 16 2017
ClusterFuzz testcase 6041647363391488 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 16 2017
,
Feb 22 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by clemensh@chromium.org
, Nov 15 2017Owner: jgruber@chromium.org
Status: Assigned (was: Untriaged)