CHECK failure: object->IsAbstractCode() || object->IsSeqString() || object->IsExternalString() |
|||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5966413202980864 Fuzzer: ochang_js_fuzzer Job Type: linux_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: object->IsAbstractCode() || object->IsSeqString() || object->IsExternalString() Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=52026:52027 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5966413202980864 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
May 5 2018
,
May 7 2018
Yea this is mine. Working on a fix. I just need to extend the list of allowed types in this CHECK. Without heap verification, everything should be working OK as is, so no merges needed + no security impact.
,
May 7 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/96186c4f1a9a05bc4f2b4fde7739f20b9ee6d10c commit 96186c4f1a9a05bc4f2b4fde7739f20b9ee6d10c Author: Marja Hölttä <marja@chromium.org> Date: Mon May 07 09:53:14 2018 [in-place weak refs] Fix: allow weak array types in large object space. BUG=v8:7308, chromium:839953 Change-Id: I3738dc8169730763a587a2452421a54aff11e38e Reviewed-on: https://chromium-review.googlesource.com/1046645 Commit-Queue: Marja Hölttä <marja@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#53016} [modify] https://crrev.com/96186c4f1a9a05bc4f2b4fde7739f20b9ee6d10c/src/heap/spaces.cc [add] https://crrev.com/96186c4f1a9a05bc4f2b4fde7739f20b9ee6d10c/test/mjsunit/regress/regress-839953.js
,
May 7 2018
,
May 7 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/08bfc14b68846ab2aef7898e0f86cb6db1fd12e2 commit 08bfc14b68846ab2aef7898e0f86cb6db1fd12e2 Author: Michael Achenbach <machenbach@chromium.org> Date: Mon May 07 11:52:17 2018 Revert "[in-place weak refs] Fix: allow weak array types in large object space." This reverts commit 96186c4f1a9a05bc4f2b4fde7739f20b9ee6d10c. Reason for revert: All gc stress bots time out: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20gc%20stress/builds/16361 Original change's description: > [in-place weak refs] Fix: allow weak array types in large object space. > > BUG=v8:7308, chromium:839953 > > Change-Id: I3738dc8169730763a587a2452421a54aff11e38e > Reviewed-on: https://chromium-review.googlesource.com/1046645 > Commit-Queue: Marja Hölttä <marja@chromium.org> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > Cr-Commit-Position: refs/heads/master@{#53016} TBR=ulan@chromium.org,marja@chromium.org Change-Id: I030638c27fd8990b9dab3d25a582039fb893bf78 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:7308, chromium:839953 Reviewed-on: https://chromium-review.googlesource.com/1046549 Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#53019} [modify] https://crrev.com/08bfc14b68846ab2aef7898e0f86cb6db1fd12e2/src/heap/spaces.cc [delete] https://crrev.com/7235c8515a46a5aa2ee79495d427726ee78ac92b/test/mjsunit/regress/regress-839953.js
,
May 7 2018
,
May 7 2018
Looks like this got reverted. Re-opening. Also looks like we can track this as a functional issue rather than as security issue.
,
May 8 2018
The reland was missing the bug number, but it's this one: https://chromium-review.googlesource.com/c/v8/v8/+/1046653
,
May 8 2018
ClusterFuzz has detected this issue as fixed in range 53030:53031. Detailed report: https://clusterfuzz.com/testcase?key=5966413202980864 Fuzzer: ochang_js_fuzzer Job Type: linux_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: object->IsAbstractCode() || object->IsSeqString() || object->IsExternalString() Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=52026:52027 Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=53030:53031 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5966413202980864 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 8 2018
ClusterFuzz testcase 5966413202980864 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 14
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ClusterFuzz
, May 4 2018Owner: marja@chromium.org
Status: Assigned (was: Untriaged)