New issue
Advanced search Search tips

Issue 610272 link

Starred by 1 user
Status: WontFix
Owner:
tasak@google.com
Closed: Aug 2016
Cc:
toyoshim@chromium.org
palmer@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

ASSERTION FAILED: count <= kGenericMaxDirectMapped / sizeof(T)

Project Member Reported by ClusterFuzz, May 9 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6607054910783488

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: count <= kGenericMaxDirectMapped / sizeof(T)
  unsigned long WTF::PartitionAllocator::quantizedSize<blink::CSSParserToken>
  blink::CSSTokenizer::Scope::Scope
  

Minimized Testcase (0.31 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96ImVYpYJPP3KnYiVw716CXVaryLidA4uzMzCoWfghBVL1GE167XTgwHX95tmCW65B6ufrhDJ1WL-C7JxGjMV9df0n_EnRrSUljRuqbv67ipwj8HgaaiyjiXgZrXQlANgMK2MUURN-ticxmrPdAmLxKWLvONQ
<script>
var styleElement = document.createElement('style');
var str="z";
for (var i = 0; i < 16; i++) {
    str += str;
}
for (var i = -2; i < 6+(129<<5); i++){
    var txt = document.createTextNode(str);
    styleElement.appendChild(txt);
}
document.getElementsByTagName('head')[0].appendChild(styleElement);
  </script>


Filer: rnimmagadda

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by rnimmagadda@chromium.org, May 9 2016

Components: Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 findit-for-crash Te-Logged M-51 Pri-2
Owner: toyoshim@chromium.org
Status: Assigned (was: Available)
Author: toyoshim
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6f9ac9d3e4eaaf5185d6c9067277119bfedc72d7
Time: Mon Apr 04 12:25:50 2016
The CL last changed line 59 of file PartitionAllocator.h, which is stack frame 0.

@toyoshim: Could you please look into this issue.

Thank you.

Comment 2 by toyoshim@chromium.org, May 10 2016

Cc: toyoshim@chromium.org
Owner: tkent@chromium.org
My change was just a revert.
Let me assign tkent@ who is also listed in the testcase page.

Comment 3 by tkent@chromium.org, May 10 2016

Components: Blink>MemoryAllocator>Partition
Owner: ----
Status: Untriaged (was: Assigned)
Route to memory team.

Comment 4 by tasak@google.com, Aug 25 2016

Owner: tasak@google.com
Status: Assigned (was: Untriaged)

Comment 5 by tasak@google.com, Aug 25 2016

Status: WontFix (was: Assigned)
The testcase creates a string whose length is 271,056,896.
So CSSTokenizer requires 90,352,298 CSSParserToken(size=24).
The size is 2,168,455,152 (> 2GB).

This is OOM from the viewpoint of PartitionAlloc. If we really want to fix this, we should modify CSSTokenizer to parse too large string.
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment