Issue metadata
Sign in to add a comment
|
DCHECK failure in current_pos <= num_indices in runtime-array.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5135945977036800 Fuzzer: v8_builtins_generator Job Type: mac_asan_d8_dbg Platform Id: mac Crash Type: DCHECK failure Crash Address: Crash State: current_pos <= num_indices in runtime-array.cc v8::internal::PrepareElementsForSortGeneric PrepareElementsForSort Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_d8_dbg&range=53059:53060 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5135945977036800 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
May 8 2018
Automatically adding ccs based on suspected regression changelists: [array] Move SafeRemoveArrayHoles to runtime by szuend@google.com - https://chromium.googlesource.com/v8/v8/+/2793d72cd73f55e9c699aa865445ad2a4f107309 If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
,
May 8 2018
Can't assign to szuend@ ("Issue owner must be a project member"), so assigning to reviewer.
,
May 9 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 9 2018
,
May 14 2018
,
May 14 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/d25840c35c0cd0324fb789d1cf0eae3f09ab2b2f commit d25840c35c0cd0324fb789d1cf0eae3f09ab2b2f Author: Simon Zünd <szuend@google.com> Date: Mon May 14 14:22:43 2018 [array] Disable DCHECK in RemoveArrayHoles. This CL disables a DCHECK in RemoveArrayHoles that was triggered for JSArrays that have read-only elements in the prototype chain. The DCHECK is not removed because it will be re-enabled later when the copying from the prototype chain (during sorting) will be done for JSArrays as well. R=cbruni@chromium.org Bug: chromium:840855 Change-Id: Ia278bd2f060df094f477b4efbc3f5bdafd7ea7a8 Reviewed-on: https://chromium-review.googlesource.com/1057588 Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Simon Zünd <szuend@google.com> Cr-Commit-Position: refs/heads/master@{#53159} [modify] https://crrev.com/d25840c35c0cd0324fb789d1cf0eae3f09ab2b2f/src/runtime/runtime-array.cc
,
May 15 2018
ClusterFuzz has detected this issue as fixed in range 53158:53159. Detailed report: https://clusterfuzz.com/testcase?key=5135945977036800 Fuzzer: v8_builtins_generator Job Type: mac_asan_d8_dbg Platform Id: mac Crash Type: DCHECK failure Crash Address: Crash State: current_pos <= num_indices in runtime-array.cc v8::internal::PrepareElementsForSortGeneric PrepareElementsForSort Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_d8_dbg&range=53059:53060 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_d8_dbg&range=53158:53159 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5135945977036800 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 15 2018
ClusterFuzz testcase 5135945977036800 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
May 15 2018
,
Jun 5 2018
,
Aug 21
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, May 8 2018