Issue metadata
Sign in to add a comment
|
CHECK failure: size <= kMaxRegularHeapObjectSize in runtime-internal.cc |
||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6713497672220672 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: size <= kMaxRegularHeapObjectSize in runtime-internal.cc __RT_impl_Runtime_AllocateInNewSpace v8::internal::Runtime_AllocateInNewSpace Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=50679:50680 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6713497672220672 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 19 2018
Simplest code to trigger: Array.of.apply(1, Array(63387)) In this case any non-constructor as the receiver triggers using AllocateJSArray. The second argument is an array of size 63387 so that's the number of arguments to Array.of, which means we attempt to allocate an array that's larger than kMaxRegularHeapObjectSize. Fix should be to check the size that will be generated and do something else if it's too big.
,
Jan 19 2018
,
Jan 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/08b0ff26c5eeff90295bea3d921157b581bd9ed4 commit 08b0ff26c5eeff90295bea3d921157b581bd9ed4 Author: Dan Elphick <delphick@chromium.org> Date: Fri Jan 19 16:11:18 2018 Fix Array.of crashing when called with lots of parameters When the array created would exceed the maximum size for a regular heap object, instead create it using Runtime::kNewArray directly rather than via AllocateJSArray. Bug: chromium:803750 Change-Id: I78cd82edf5a813a2ed69272361e0ca07f864c5ba Reviewed-on: https://chromium-review.googlesource.com/876011 Commit-Queue: Dan Elphick <delphick@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#50726} [modify] https://crrev.com/08b0ff26c5eeff90295bea3d921157b581bd9ed4/src/builtins/builtins-array-gen.cc [add] https://crrev.com/08b0ff26c5eeff90295bea3d921157b581bd9ed4/test/mjsunit/regress/regress-803750.js
,
Jan 20 2018
ClusterFuzz has detected this issue as fixed in range 50725:50726. Detailed report: https://clusterfuzz.com/testcase?key=6713497672220672 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: size <= kMaxRegularHeapObjectSize in runtime-internal.cc __RT_impl_Runtime_AllocateInNewSpace v8::internal::Runtime_AllocateInNewSpace Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=50679:50680 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=50725:50726 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6713497672220672 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 20 2018
ClusterFuzz testcase 6713497672220672 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 8 2018
,
Apr 28 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jan 19 2018Owner: delph...@chromium.org
Status: Assigned (was: Untriaged)