ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6004324258021376

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000396
Crash State:
  blink::getPropertyNameString
  blink::InlineStylePropertyMap::getIterationEntries
  blink::StylePropertyMap::startIteration
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=398852:398867

Minimized Testcase (2.39 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Aqd81vhpH8PfSFK22ZWXu3dpyxgTtKdsX6OsJqn3UX-nX59QjmLXuXxSefb_seLzQ4kmPJFuYaf0gxSMw0YFh1cfNGCZ46ZuuQbdB9ObKH3v1RVb8A7XfuO3S5BRpeIs8H1-VabEZ9XYFdjrHIlZv9yGCnA?testcase_id=6004324258021376

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

meade@, could you take a look?

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6004324258021376

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000396
Crash State:
  blink::getPropertyNameString
  blink::InlineStylePropertyMap::getIterationEntries
  blink::StylePropertyMap::startIteration
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=398852:398867

Minimized Testcase (2.39 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Aqd81vhpH8PfSFK22ZWXu3dpyxgTtKdsX6OsJqn3UX-nX59QjmLXuXxSefb_seLzQ4kmPJFuYaf0gxSMw0YFh1cfNGCZ46ZuuQbdB9ObKH3v1RVb8A7XfuO3S5BRpeIs8H1-VabEZ9XYFdjrHIlZv9yGCnA?testcase_id=6004324258021376

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

@Tim: Is it possible for inlineStyleSet.propertyAt(i).id() to ever return something outside (id >= firstCSSProperty && id <= lastUnresolvedCSSProperty)?

That's the only way I can think of that could cause this code to crash when calling getPropertyNameString at that point...

For custom properties it'll be CSSPropertyVariable and for @apply rules it'll be CSSPropertyApplyAtRule, both < firstCSSProperty. Everything else should be between firstCSSProperty and lastCSSProperty.

It sounds like it is possible then, and there is probably a bug here. I'll have a look at fixing it tomorrow then.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7e1e6ff72cd56eb5c6bbbf741ceff1c1ccee186f

commit 7e1e6ff72cd56eb5c6bbbf741ceff1c1ccee186f
Author: meade <meade@chromium.org>
Date: Tue Jul 05 07:07:09 2016

Add support for custom properties and @apply when iterating InlineStylePropertyMap

This should prevent crashes when a custom property is set on
an element.

BUG= 619010 

Review-Url: https://codereview.chromium.org/2115673003
Cr-Commit-Position: refs/heads/master@{#403747}

[modify] https://crrev.com/7e1e6ff72cd56eb5c6bbbf741ceff1c1ccee186f/third_party/WebKit/LayoutTests/typedcssom/inlinestyle/inlineStylePropertyMap_iteration.html
[modify] https://crrev.com/7e1e6ff72cd56eb5c6bbbf741ceff1c1ccee186f/third_party/WebKit/Source/core/css/cssom/InlineStylePropertyMap.cpp

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot