New issue
Advanced search Search tips

Issue 600916 link

Starred by 0 users

Issue metadata

Status: WontFix
Owner:
Closed: Jun 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failed: count <= kGenericMaxDirectMapped / sizeof(T) in PartitionAllocator

Project Member Reported by ClusterFuzz, Apr 6 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5288533316599808

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  CHECK failed: count <= kGenericMaxDirectMapped / sizeof(T) in PartitionAllocator
  blink::CSSTokenizer::Scope::Scope
  blink::CSSParserImpl::parseStyleSheet
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172836:173286

Minimized Testcase (0.31 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94GSl9cbhhf-fgOLHtoF1xkJdXJXdXTGQ5mOCYTdwj2iAJ0ueM_wR2_mRo_1GkLt4vjxfJwx1ScjQQQvMz2bQdvMrmTcwYz2N9RbfhlJTmy3ZAqyBuowoWz_6kroicCBDAC1WBIX90WhNafKQH1IK0xi3YLQg
<script>
var styleElement = document.createElement('style');
var str="z";
for (var i = 0; i < 16; i++) {
    str += str;
}
for (var i = -2; i < 6+(129<<5); i++){
    var txt = document.createTextNode(str);
    styleElement.appendChild(txt);
}
document.getElementsByTagName('head')[0].appendChild(styleElement);
  </script>


Filer: nainar

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Components: Blink>CSS
Project Member

Comment 2 by ClusterFuzz, Apr 6 2016

ClusterFuzz has detected this issue as fixed in range 384695:385240.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5288533316599808

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  CHECK failed: count <= kGenericMaxDirectMapped / sizeof(T) in PartitionAllocator
  blink::CSSTokenizer::Scope::Scope
  blink::CSSParserImpl::parseStyleSheet
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172836:173286
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=384695:385240

Minimized Testcase (0.31 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94GSl9cbhhf-fgOLHtoF1xkJdXJXdXTGQ5mOCYTdwj2iAJ0ueM_wR2_mRo_1GkLt4vjxfJwx1ScjQQQvMz2bQdvMrmTcwYz2N9RbfhlJTmy3ZAqyBuowoWz_6kroicCBDAC1WBIX90WhNafKQH1IK0xi3YLQg
<script>
var styleElement = document.createElement('style');
var str="z";
for (var i = 0; i < 16; i++) {
    str += str;
}
for (var i = -2; i < 6+(129<<5); i++){
    var txt = document.createTextNode(str);
    styleElement.appendChild(txt);
}
document.getElementsByTagName('head')[0].appendChild(styleElement);
  </script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Owner: timloh@chromium.org
Status: Assigned (was: Available)
Status: WontFix (was: Assigned)
Closing because Clusterfuzz think's it's been fixed (the test is just using up heaps of memory and it doesn't seem like we're handling it badly).
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment