Issue metadata
Sign in to add a comment
|
CHECK failure: !descriptors->GetKey(i)->IsInterestingSymbol() in objects-debug.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6075410165792768 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !descriptors->GetKey(i)->IsInterestingSymbol() in objects-debug.cc v8::internal::Map::MapVerify v8::internal::Object::ObjectVerify Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=54594:54595 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6075410165792768 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jul 21
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/b6f7ea580595f98b89fc47c50f9ccfbbd3b9c448 ([runtime] use new CloneObject bytecode for some ObjectLiteralSpread cases). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jul 21
,
Jul 22
,
Jul 22
,
Jul 23
,
Jul 23
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 25
,
Aug 2
Friendly ping from the security sheriff. This is a high severity vulnerability affecting beta branch.
,
Aug 4
caitp: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/7098f35c7ceee6c84c8951f21a6bdb4c4e692d3a commit 7098f35c7ceee6c84c8951f21a6bdb4c4e692d3a Author: Caitlin Potter <caitp@igalia.com> Date: Sat Aug 04 16:48:18 2018 [CloneObjectIC] copy may_have_interesting_symbols bit to fast result map This fixes a CHECK failure in MapVerify, and gets the correct behaviour for uses of the well-known symbols. BUG=v8:7611, chromium:866229 R=jkummerow@chromium.org, mvstanton@chromium.org, bmeurer@chromium.org Change-Id: I5d679357b8807ea9d1054121d8d336fe0dd43c7c Reviewed-on: https://chromium-review.googlesource.com/1162278 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Caitlin Potter <caitp@igalia.com> Cr-Commit-Position: refs/heads/master@{#54905} [modify] https://crrev.com/7098f35c7ceee6c84c8951f21a6bdb4c4e692d3a/src/ic/ic.cc [add] https://crrev.com/7098f35c7ceee6c84c8951f21a6bdb4c4e692d3a/test/mjsunit/es9/regress/regress-866229.js
,
Aug 5
ClusterFuzz has detected this issue as fixed in range 54904:54905. Detailed report: https://clusterfuzz.com/testcase?key=6075410165792768 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !descriptors->GetKey(i)->IsInterestingSymbol() in objects-debug.cc v8::internal::Map::MapVerify v8::internal::Object::ObjectVerify Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=54594:54595 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=54904:54905 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6075410165792768 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 5
ClusterFuzz testcase 6075410165792768 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 5
,
Aug 7
,
Aug 7
This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 7
+awhalley@ (Security TPM) for M69 merge review.
,
Aug 7
Good to approve for 69 tomorrow just to give a bit more time in Canary
,
Aug 7
,
Aug 8
The NextAction date has arrived: 2018-08-08
,
Aug 8
How is the change looking in canary?
,
Aug 13
+jkummerow@ (CL reviewer), PTAL comment #18 and #21. Thank you.
,
Aug 13
This is the same situation as crbug.com/866282#c24 . M69 is not affected. Sheriffbot should learn to look at actual branches for DEPS'ed in projects, not just commit dates.
,
Aug 14
,
Aug 15
,
Nov 11
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jul 21Labels: Test-Predator-Auto-Components