New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 617809 link

Starred by 0 users
Status: Verified
Owner:
tkent@chromium.org
Closed: Jun 2016
Cc:
mummare...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

alignedMaximum <= stepRange.maximum()

Project Member Reported by ClusterFuzz, Jun 6 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4923981237059584

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  alignedMaximum <= stepRange.maximum()
  blink::InputType::applyStep
  blink::InputType::stepUp
  

Minimized Testcase (7.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95kGqfjO--jS17FFqnYnr1z2Yx8xst_cEfcqfZtXnaM4WTBSF-5JPQPPJbDraqPmUwWMTK8182Vm2qq0CnoBR0F01XQPnQ3e7MaUyxAtYWeEpx9qXHNzssOL3efNRG_rYAVWnwcuymtFS2yy6J7NFks5uhU2g

Additional requirements: Requires HTTP

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Jun 6 2016

Labels: findit-wrong Te-Logged M-52
Owner: tkent@chromium.org
Status: Assigned (was: Available)
From findit tool:

Author: tkent@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4b55691123dd8bada5027a035891967383f01f5d
Time: Tue Sep 15 04:21:31 2015
The CL last changed line 753 of file InputType.cpp, which is stack frame 0.
Project Member

Comment 2 by sheriffbot@chromium.org, Jun 7 2016

Labels: -M-52 M-53 MovedFrom-52
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 3 by tkent@chromium.org, Jun 8 2016

Components: Blink>Forms
Labels: -Pri-1 Pri-3
Status: Started (was: Assigned)
Project Member

Comment 4 by ClusterFuzz, Jun 9 2016 

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4923981237059584

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  alignedMaximum <= stepRange.maximum()
  blink::InputType::applyStep
  blink::InputType::stepUp
  

Minimized Testcase (7.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94fexIJ-h8KGQuQK0o6wbk9rJH65xsz4TrvQ2srbsSBbwR2J_F3GD5sVWRE5k6Kg72tNez0PJLw8RlxTfoovg8C3ejXibW0ioSx9jPrba_QqZ1lo-jF2_gwrli7woArgkswLNTOa4qIa6FOuTUEpXiIEj-UjA

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by bugdroid1@chromium.org, Jun 13 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ee4915d796448f4024de2c943a52b007021ead03

commit ee4915d796448f4024de2c943a52b007021ead03
Author: tkent <tkent@chromium.org>
Date: Mon Jun 13 21:59:52 2016

Fix an assertion failure in InputType::applyStep()

If stepBase is extremely larger than step or maximum, the old code produced
alignedMaximum larger than maximum().  This CL fixes it.

- The core logic is moved to StepRange class to improve testability
- Move the stream printer for Decimal because it is used in DCHECK_LE().

BUG= 617809 

Review-Url: https://codereview.chromium.org/2048943002
Cr-Commit-Position: refs/heads/master@{#399563}

[modify] https://crrev.com/ee4915d796448f4024de2c943a52b007021ead03/third_party/WebKit/Source/core/html/forms/InputType.cpp
[modify] https://crrev.com/ee4915d796448f4024de2c943a52b007021ead03/third_party/WebKit/Source/core/html/forms/StepRange.cpp
[modify] https://crrev.com/ee4915d796448f4024de2c943a52b007021ead03/third_party/WebKit/Source/core/html/forms/StepRange.h
[modify] https://crrev.com/ee4915d796448f4024de2c943a52b007021ead03/third_party/WebKit/Source/core/html/forms/StepRangeTest.cpp
[modify] https://crrev.com/ee4915d796448f4024de2c943a52b007021ead03/third_party/WebKit/Source/platform/Decimal.cpp
[modify] https://crrev.com/ee4915d796448f4024de2c943a52b007021ead03/third_party/WebKit/Source/platform/Decimal.h
[modify] https://crrev.com/ee4915d796448f4024de2c943a52b007021ead03/third_party/WebKit/Source/platform/DecimalTest.cpp
Project Member

Comment 6 by ClusterFuzz, Jun 13 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 7 by bugdroid1@chromium.org, Jun 15 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ee4915d796448f4024de2c943a52b007021ead03

commit ee4915d796448f4024de2c943a52b007021ead03
Author: tkent <tkent@chromium.org>
Date: Mon Jun 13 21:59:52 2016

Fix an assertion failure in InputType::applyStep()

If stepBase is extremely larger than step or maximum, the old code produced
alignedMaximum larger than maximum().  This CL fixes it.

- The core logic is moved to StepRange class to improve testability
- Move the stream printer for Decimal because it is used in DCHECK_LE().

BUG= 617809 

Review-Url: https://codereview.chromium.org/2048943002
Cr-Commit-Position: refs/heads/master@{#399563}

[modify] https://crrev.com/ee4915d796448f4024de2c943a52b007021ead03/third_party/WebKit/Source/core/html/forms/InputType.cpp
[modify] https://crrev.com/ee4915d796448f4024de2c943a52b007021ead03/third_party/WebKit/Source/core/html/forms/StepRange.cpp
[modify] https://crrev.com/ee4915d796448f4024de2c943a52b007021ead03/third_party/WebKit/Source/core/html/forms/StepRange.h
[modify] https://crrev.com/ee4915d796448f4024de2c943a52b007021ead03/third_party/WebKit/Source/core/html/forms/StepRangeTest.cpp
[modify] https://crrev.com/ee4915d796448f4024de2c943a52b007021ead03/third_party/WebKit/Source/platform/Decimal.cpp
[modify] https://crrev.com/ee4915d796448f4024de2c943a52b007021ead03/third_party/WebKit/Source/platform/Decimal.h
[modify] https://crrev.com/ee4915d796448f4024de2c943a52b007021ead03/third_party/WebKit/Source/platform/DecimalTest.cpp
Project Member

Comment 8 by ClusterFuzz, Jun 15 2016 

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4923981237059584

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  alignedMaximum <= stepRange.maximum()
  blink::InputType::applyStep
  blink::InputType::stepUp
  

Minimized Testcase (7.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94fexIJ-h8KGQuQK0o6wbk9rJH65xsz4TrvQ2srbsSBbwR2J_F3GD5sVWRE5k6Kg72tNez0PJLw8RlxTfoovg8C3ejXibW0ioSx9jPrba_QqZ1lo-jF2_gwrli7woArgkswLNTOa4qIa6FOuTUEpXiIEj-UjA

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment