Issue metadata
Sign in to add a comment
|
Crash in blink::Text::wholeText |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6001474831646720 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00009f7537dd Crash State: blink::Text::wholeText blink::TextV8Internal::wholeTextAttributeGetter blink::TextV8Internal::wholeTextAttributeGetterCallback Minimized Testcase (0.53 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94Sb-XDWH7wMmPJDhDLfINBugp4McjA5l2VyB48aUohzMvjXVrwqUaVnSyunVX9eu26aNkJ1Rly732yZE6CVqyJQ1inwUVPqQyPso4GohyuB7TpY73iOdN-y24L5Lnc2CAgtNWPdyJAcn1nvi5pCJnC3YBOJQ <script> function go() { var e = document.getElementById("here"); var str="A"; for(var i = 0; i < 22; i++){ str += str; } for(var i = 0; i < 1<<10; i++){ var txt = document.createTextNode(str); e.appendChild(txt); } var txt = e.firstChild.wholeText; } </script> <body onLoad="go()"<h1 id="here"> Filer: ranjitkan See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 17 2016
,
Sep 8 2016
ClusterFuzz has detected this issue as fixed in range 399276:400924. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6001474831646720 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00009f7537dd Crash State: blink::Text::wholeText blink::TextV8Internal::wholeTextAttributeGetter blink::TextV8Internal::wholeTextAttributeGetterCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=268656:269696 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=399276:400924 Minimized Testcase (0.53 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94m-8L9t_KS3G2NNPBs4TXOOu-cexTkz552LpPcQaJ-zu7qn0gyiz7ZXaQL0EjTt6iXO3p-PuicOrSl5h7h9xK1C0QCAwY-JDIcjvS24jmCA_M9eEZgwKyR45i5_cwQjLq_6pVuqb8YgconesjLCU7Fv62zFQ?testcase_id=6001474831646720 <script> function go() { var e = document.getElementById("here"); var str="A"; for(var i = 0; i < 22; i++){ str += str; } for(var i = 0; i < 1<<10; i++){ var txt = document.createTextNode(str); e.appendChild(txt); } var txt = e.firstChild.wholeText; } </script> <body onLoad="go()"<h1 id="here"> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ranjitkan@chromium.org
, May 17 2016Components: Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 findit-for-crash Te-Logged M-52 Pri-2