Issue metadata
Sign in to add a comment
|
crash in arrayslice function
Reported by
yngwe...@gmail.com,
Sep 19
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Steps to reproduce the problem: 1. open chrome browser,"./chrome" 2. drag poc.html. 3. get crash. I don't understand what is really going on What is the expected behavior? What went wrong? I reproduce it in 6.3.292.48 v8 and the 69.0.3497.100 chrome v8 windbg stack backtrace: # Child-SP RetAddr Call Site 00 00000039`6abfd6a8 00007ff7`2b673aa1 0x0 01 00000039`6abfd6b0 00007ff7`2b08e7f0 d8_exe!v8::base::OS::Abort+0x11 [d:\work\browser\chrome\v8-otherversion\v8\src\base\platform\platform-win32.cc @ 879] 02 00000039`6abfd6e0 00007ff7`2b082194 d8_exe!v8::Utils::ReportOOMFailure+0xa0 [d:\work\browser\chrome\v8-otherversion\v8\src\api.cc @ 427] 03 00000039`6abfd710 00007ff7`2b2e80b8 d8_exe!v8::internal::V8::FatalProcessOutOfMemory+0x244 [d:\work\browser\chrome\v8-otherversion\v8\src\api.cc @ 400] 04 00000039`6abfed00 00007ff7`2b2ea5de d8_exe!v8::internal::Factory::NewFixedDoubleArray+0x198 [d:\work\browser\chrome\v8-otherversion\v8\src\factory.cc @ 259] 05 00000039`6abfed60 00007ff7`2b2ea18d d8_exe!v8::internal::Factory::NewJSArrayStorage+0x12e [d:\work\browser\chrome\v8-otherversion\v8\src\factory.cc @ 2029] 06 00000039`6abfede0 00007ff7`2b2d3897 d8_exe!v8::internal::Factory::NewJSArray+0x3d [d:\work\browser\chrome\v8-otherversion\v8\src\factory.cc @ 1995] 07 (Inline Function) --------`-------- d8_exe!v8::internal::`anonymous-namespace'::FastElementsAccessor<v8::internal::`anonymous namespace'::FastHoleyDoubleElementsAccessor,v8::internal::A0x45f5b220::ElementsKindTraits<5> >::SliceImpl+0x95 [d:\work\browser\chrome\v8-otherversion\v8\src\elements.cc @ 2120] 08 00000039`6abfee20 00007ff7`2b0df44c d8_exe!v8::internal::`anonymous namespace'::ElementsAccessorBase<v8::internal::`anonymous namespace'::FastHoleyDoubleElementsAccessor,v8::internal::A0x45f5b220::ElementsKindTraits<5> >::Slice+0xa7 [d:\work\browser\chrome\v8-otherversion\v8\src\elements.cc @ 702] 09 00000039`6abfee80 00007ff7`2b0de76b d8_exe!v8::internal::Builtin_Impl_ArraySlice+0x37c [d:\work\browser\chrome\v8-otherversion\v8\src\builtins\builtins-array.cc @ 330] 0a 00000039`6abfef50 000001e0`12687421 d8_exe!v8::internal::Builtin_ArraySlice+0x3b [d:\work\browser\chrome\v8-otherversion\v8\src\builtins\builtins-array.cc @ 264] 0b 00000039`6abfef90 000003c5`8e3aa1b8 0x000001e0`12687421 0c 00000039`6abfef98 00000039`6abfefe8 0x000003c5`8e3aa1b8 0d 00000039`6abfefa0 000003c5`8e3a2201 0x00000039`6abfefe8 0e 00000039`6abfefa8 00000000`01000000 0x000003c5`8e3a2201 0f 00000039`6abfefb0 00000000`00000018 0x1000000 10 00000039`6abfefb8 000003ab`3b2846c1 0x18 11 00000039`6abfefc0 00000001`00000000 0x000003ab`3b2846c1 12 00000039`6abfefc8 000001e0`12687361 0x00000001`00000000 13 00000039`6abfefd0 00000039`6abfef90 0x000001e0`12687361 14 00000039`6abfefd8 00000000`00000024 0x00000039`6abfef90 15 00000039`6abfefe0 00000039`6abff098 0x24 16 00000039`6abfefe8 000001e0`12773234 0x00000039`6abff098 17 00000039`6abfeff0 000000ff`97d822e1 0x000001e0`12773234 18 00000039`6abfeff8 000002da`83987a59 0x000000ff`97d822e1 19 00000039`6abff000 00000006`00000000 0x000002da`83987a59 1a 00000039`6abff008 00010000`00000000 0x00000006`00000000 1b 00000039`6abff010 00000000`00000000 0x00010000`00000000 Did this work before? N/A Chrome version: 69.0.3497.100 Channel: stable OS Version: 10.0 Flash Version:
,
Sep 19
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6243631525265408.
,
Sep 19
Testcase 6243631525265408 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=6243631525265408.
,
Sep 20
Looks like an out of memory, so I'm assuming there's not much we could do here.
,
Dec 28
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by mbarbella@google.com
, Sep 19