No CL in the regression range changes the crashed files. The result is the blame information.

Author: andersca@apple.com
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/f2deb423484a3df7f38b828dda9e26cf5f09d56b
Time: Wed Sep 29 23:05:50 2010
The CL last changed line 177 of file Text.cpp, which is stack frame 0.

Suspected Component: chromium-blink
Suspected Cr- Label: Cr-Blink-DOM

@andersca/ blink-DOM - Hey, would you mind assigning the above issue to concern dev ?
I really appreciate the help.

Thank you!

This is putting a lot of pressure on memory; it creates a string 2^22 characters long and then creates 2^10 copies of it. However this does not look like a classic OOM crash so we should investigate a bit further.

(See https://bugs.chromium.org/p/chromium/issues/detail?id=57347 for old context.)

Gentle Ping! Do we have any further update on this?

Thank you!

Thank you for the ping. No update.

ClusterFuzz has detected this issue as fixed in range 399407:399414.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5017619622526976

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00009f7537dd
Crash State:
  blink::Text::wholeText
  blink::TextV8Internal::wholeTextAttributeGetterCallback
  v8::internal::FunctionCallbackArguments::Call
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=268656:269696
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=399407:399414

Minimized Testcase (0.53 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96ey-ThMa_ij5-EdVg64K3WNtqA97Mns1hlYYCrdvSyv0VghoM6HlxOgO_pa9ODjDpTW5ZQaKFZQFJ5GBGFjKQITuV-tsoTQfjysdKDpDDKm9HNAdZYwDYt0m2l1jM2MH-RUD6ox2PdJtwYSuEUpGvM9dw8SQ?testcase_id=5017619622526976
<script>
            function go() {
                var e = document.getElementById("here");
                var str="A";
                for(var i = 0; i < 22; i++){
                    str += str;
                }
                for(var i = 0; i < 1<<10; i++){             
                    var txt = document.createTextNode(str);
                    e.appendChild(txt);
                }                               
                var txt = e.firstChild.wholeText;
            }
        </script>
<body onLoad="go()"<h1 id="here">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot