New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 596490 link

Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 462234
Owner:
Last visit > 30 days ago
Closed: May 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Crash in blink::Text::wholeText

Project Member Reported by ClusterFuzz, Mar 21 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5017619622526976

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00009f7537dd
Crash State:
  blink::Text::wholeText
  blink::TextV8Internal::wholeTextAttributeGetterCallback
  v8::internal::FunctionCallbackArguments::Call
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=144946:145047

Minimized Testcase (0.53 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97Jv1nl1HF5BF4gChF6zsY85LTbvhsfi9k4JS-8hOBILTMFqgPrX8c4VMS10MYcMQq0niuqB4AGVChnO2vPBAPLUOIyCrHmb_SgnqJOs-assJ8SbubX4Vk-1DMzi3xDHYqI7KaMm3iV3X16xD7xAuH-2ot1Lw
<script>
            function go() {
                var e = document.getElementById("here");
                var str="A";
                for(var i = 0; i < 22; i++){
                    str += str;
                }
                for(var i = 0; i < 1<<10; i++){             
                    var txt = document.createTextNode(str);
                    e.appendChild(txt);
                }                               
                var txt = e.firstChild.wholeText;
            }
        </script>
<body onLoad="go()"<h1 id="here">


Filer: ashejole

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: ashej...@chromium.org ander...@apple.com
Components: Blink>DOM
Labels: -Type-Bug Needs-triage findit-wrong Te-Logged Type-Bug-Regression
Status: Untriaged (was: Available)
No CL in the regression range changes the crashed files. The result is the blame information.

Author: andersca@apple.com
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/f2deb423484a3df7f38b828dda9e26cf5f09d56b
Time: Wed Sep 29 23:05:50 2010
The CL last changed line 177 of file Text.cpp, which is stack frame 0.

Suspected Component: chromium-blink
Suspected Cr- Label: Cr-Blink-DOM

@andersca/ blink-DOM - Hey, would you mind assigning the above issue to concern dev ?
I really appreciate the help.

Thank you!
This is putting a lot of pressure on memory; it creates a string 2^22 characters long and then creates 2^10 copies of it. However this does not look like a classic OOM crash so we should investigate a bit further.
Labels: -Pri-1 Pri-2
Owner: dominicc@chromium.org
Status: Available (was: Untriaged)
Status: Assigned (was: Available)
Labels: -Needs-triage
Gentle Ping! Do we have any further update on this?

Thank you!
Cc: tkent@chromium.org
Thank you for the ping. No update.
Mergedinto: 462234
Status: Duplicate (was: Assigned)
Project Member

Comment 9 by ClusterFuzz, Sep 12 2016

ClusterFuzz has detected this issue as fixed in range 399407:399414.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5017619622526976

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00009f7537dd
Crash State:
  blink::Text::wholeText
  blink::TextV8Internal::wholeTextAttributeGetterCallback
  v8::internal::FunctionCallbackArguments::Call
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=268656:269696
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=399407:399414

Minimized Testcase (0.53 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96ey-ThMa_ij5-EdVg64K3WNtqA97Mns1hlYYCrdvSyv0VghoM6HlxOgO_pa9ODjDpTW5ZQaKFZQFJ5GBGFjKQITuV-tsoTQfjysdKDpDDKm9HNAdZYwDYt0m2l1jM2MH-RUD6ox2PdJtwYSuEUpGvM9dw8SQ?testcase_id=5017619622526976
<script>
            function go() {
                var e = document.getElementById("here");
                var str="A";
                for(var i = 0; i < 22; i++){
                    str += str;
                }
                for(var i = 0; i < 1<<10; i++){             
                    var txt = document.createTextNode(str);
                    e.appendChild(txt);
                }                               
                var txt = e.firstChild.wholeText;
            }
        </script>
<body onLoad="go()"<h1 id="here">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment