Issue metadata
Sign in to add a comment
|
DCHECK failure in end <= array->length_value() in elements.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6021191413006336 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: end <= array->length_value() in elements.cc Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=54521:54522 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6021191413006336 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jul 19
,
Jul 19
Check if this fix needs to be back-merged into 6.9.
,
Jul 19
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b87e7623248fda8dd06c4d6350bd00a57f04b7fe commit b87e7623248fda8dd06c4d6350bd00a57f04b7fe Author: Simon Zünd <szuend@google.com> Date: Thu Jul 19 12:15:42 2018 [array] Only use fast-path in Array.p.fill for JSArrays This CL changes Array.p.fill to use the baseline implementation for everything other than JSArray. One of the reasons is that shadowing the length property on TypedArrays (and other ElementsKinds) is allowed and should be respected by Array.p.fill. The fast-path for fill for TypedArrays expects the indices to be clamped to the actual length of the underlying backing store and not to some length property. While this mismatch (and others) could probably be handled properly, we do the conservative thing and only use the fast-path for specific JSArrays. R=jgruber@chromium.org Bug: chromium:865312 Change-Id: Ib3050e3bfc22d47ca8597b6df34788dc2b59b6e1 Reviewed-on: https://chromium-review.googlesource.com/1142772 Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Simon Zünd <szuend@google.com> Cr-Commit-Position: refs/heads/master@{#54558} [modify] https://crrev.com/b87e7623248fda8dd06c4d6350bd00a57f04b7fe/src/builtins/builtins-array.cc [modify] https://crrev.com/b87e7623248fda8dd06c4d6350bd00a57f04b7fe/src/elements.cc [add] https://crrev.com/b87e7623248fda8dd06c4d6350bd00a57f04b7fe/test/mjsunit/regress/regress-crbug-865312.js
,
Jul 19
,
Jul 19
,
Jul 20
ClusterFuzz has detected this issue as fixed in range 54557:54558. Detailed report: https://clusterfuzz.com/testcase?key=6021191413006336 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: end <= array->length_value() in elements.cc Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=54521:54522 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=54557:54558 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6021191413006336 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 20
ClusterFuzz testcase 6021191413006336 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 25
The NextAction date has arrived: 2018-07-25
,
Jul 25
Back-merging the fix is not needed since the original CL is not in 69: https://chromiumdash.appspot.com/commit/eeb583d8b89f954efd94ab884b4207187e5b9cc7
,
Jul 28
,
Jul 30
,
Jul 31
,
Oct 25
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jul 19Owner: szuend@google.com
Status: Assigned (was: Untriaged)