Stack-overflow in blink::LineBoxList::deleteLineBoxTree |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5953142381871104 Fuzzer: bj_broddelwerk Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffe4e315f68 Crash State: blink::LineBoxList::deleteLineBoxTree blink::LayoutBlockFlow::determineStartPosition blink::LayoutBlockFlow::layoutRunsAndFloats Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172836:173286 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96yCxlD-wVjgDEO44OUSVsQi06BJIsY6e10rKk1GV_DfThJE4b-e8YvNq_o3MxVuYhS6_SWaXjpDvYcA4oh2w-NQCAdoWs3lVjgN4-MnHquE1udll4Wg5GltPonizTTLNNrFamTAFSfY6MBn08IntZGyCChEze3dVJaBu_F_AtCbf8VKXk Filer: rnimmagadda See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 10 2016
My change was to LineBoxList::hitTest (not LineBoxList::deleteLineBoxTree), but this looks like a case of to deeply nested content which eventually ends up exhausting the stack. I'll see if I can dig something out of the TC though.
,
May 10 2016
Running the TC in a debug build, it crashes during attach already with very deep tree.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by rnimmagadda@chromium.org
, May 10 2016Labels: findit-wrong Te-Logged M-51
Owner: f...@opera.com
Status: Assigned (was: Available)