New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 610634 link

Starred by 0 users
Status: WontFix
Owner:
f...@opera.com
Closed: May 2016
Cc:
pdr@chromium.org
le...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Stack-overflow in blink::LineBoxList::deleteLineBoxTree

Project Member Reported by ClusterFuzz, May 10 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5953142381871104

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffe4e315f68
Crash State:
  blink::LineBoxList::deleteLineBoxTree
  blink::LayoutBlockFlow::determineStartPosition
  blink::LayoutBlockFlow::layoutRunsAndFloats
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172836:173286

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96yCxlD-wVjgDEO44OUSVsQi06BJIsY6e10rKk1GV_DfThJE4b-e8YvNq_o3MxVuYhS6_SWaXjpDvYcA4oh2w-NQCAdoWs3lVjgN4-MnHquE1udll4Wg5GltPonizTTLNNrFamTAFSfY6MBn08IntZGyCChEze3dVJaBu_F_AtCbf8VKXk


Filer: rnimmagadda

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by rnimmagadda@chromium.org, May 10 2016

Cc: le...@chromium.org pdr@chromium.org
Labels: findit-wrong Te-Logged M-51
Owner: f...@opera.com
Status: Assigned (was: Available)
Found the culprit using the Code Search for the file - LineBoxList.cpp

Suspecting Commit - cd159234dd394de40cb354fe71444b787b3b3bb7

Review URL: https://codereview.chromium.org/1780673002

@fs: Could you please look into the issue, and if it has nothing to do with your changes and if possible please do assign it to the concerned owner.

Thank you.

Comment 2 by f...@opera.com, May 10 2016 

My change was to LineBoxList::hitTest (not LineBoxList::deleteLineBoxTree), but this looks like a case of to deeply nested content which eventually ends up exhausting the stack. I'll see if I can dig something out of the TC though.

Comment 3 by f...@opera.com, May 10 2016

Status: WontFix (was: Assigned)
Running the TC in a debug build, it crashes during attach already with very deep tree.
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment