Fatal error in Runtime_TypedArrayCopyElements |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6325006355922944 Fuzzer: ochang_js_fuzzer_win Job Type: windows_asan_d8 Platform Id: windows Crash Type: Fatal error Crash Address: Crash State: v8::platform::PrintStackTrace v8::internal::Runtime_TypedArrayCopyElements Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=51376:51377 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6325006355922944 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Feb 26 2018
,
Feb 26 2018
,
Feb 26 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6b25ab2e8cc557c5efd64312330726f6614370d4 commit 6b25ab2e8cc557c5efd64312330726f6614370d4 Author: Peter Marshall <petermarshall@chromium.org> Date: Mon Feb 26 15:51:31 2018 [typedarray] Extend ElementsAccessor::CopyElements to all Object types Previously, Strings without an iterator would go to the runtime path and fail on because it expected a JSReceiver type. This was in-line with what the elements accessor expected. We can actually handle all object types in the final slow path (using LookupIterator) so it is no problem to change the accept types. Bug: chromium:816289 Change-Id: Iebb8de0bb7551aee3894c8a23836d079c93726a7 Reviewed-on: https://chromium-review.googlesource.com/937461 Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#51574} [modify] https://crrev.com/6b25ab2e8cc557c5efd64312330726f6614370d4/src/elements.cc [modify] https://crrev.com/6b25ab2e8cc557c5efd64312330726f6614370d4/src/elements.h [modify] https://crrev.com/6b25ab2e8cc557c5efd64312330726f6614370d4/src/runtime/runtime-typedarray.cc [add] https://crrev.com/6b25ab2e8cc557c5efd64312330726f6614370d4/test/mjsunit/regress/regress-816289.js
,
Feb 26 2018
,
Feb 27 2018
ClusterFuzz has detected this issue as fixed in range 51573:51574. Detailed report: https://clusterfuzz.com/testcase?key=6325006355922944 Fuzzer: ochang_js_fuzzer_win Job Type: windows_asan_d8 Platform Id: windows Crash Type: Fatal error Crash Address: Crash State: v8::platform::PrintStackTrace v8::internal::Runtime_TypedArrayCopyElements Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=51376:51377 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=51573:51574 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6325006355922944 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 27 2018
ClusterFuzz testcase 6325006355922944 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Feb 25 2018Owner: petermarshall@chromium.org
Status: Assigned (was: Untriaged)