Crash in blink::Text::wholeText |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5405346202124288 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_content_shell Platform Id: mac Crash Type: UNKNOWN WRITE Crash Address: 0x0000fbadbeef Crash State: blink::Text::wholeText blink::TextV8Internal::wholeTextAttributeGetterCallback v8::internal::FunctionCallbackArguments::Call Minimized Testcase (1.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96H-nGd_c2KvWEYklfuDkbtZHQvvFOq_Zfbro-Yy7LvEsq3Kpga_VDuLX-vyjTiAcb7qu8Uwe3SYYlHHn2PAgShN6g74zjgOEySwZ5SFdvJv7ULsG5dHG8XhVjnAauSVo0aHO_6EwE5MB1Pw39DOroNmcX-0A?testcase_id=5405346202124288 Filer: brajkumar See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 13 2016
,
Jul 15 2016
dtapuska, when you see ClusterFuzz crashes in wholeText you should look at the repro code (follow the Detailed Report link, then Minimized Test Case/View link.)
If the repro contains code like this:
var str="z";
for (var i = 0; i < 16; i++) {
str += str;
}
for (var i = 0; i < 1+(1<<16); i++){
var txt = document.createTextNode(str);
styleElement.appendChild(txt);
}
The loops are the giveaway. They are just allocating a ton of memory (the first one makes a string that's 2^16 characters ~65K long; the second one appends that to a style element 2^16 times. So that's gigabytes of strings.)
It's probably OK to ignore these.
,
Sep 23 2016
ClusterFuzz has detected this issue as fixed in range 420372:420465. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5405346202124288 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_content_shell Platform Id: mac Crash Type: UNKNOWN WRITE Crash Address: 0x0000fbadbeef Crash State: blink::Text::wholeText blink::TextV8Internal::wholeTextAttributeGetterCallback v8::internal::FunctionCallbackArguments::Call Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=420372:420465 Minimized Testcase (1.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96H-nGd_c2KvWEYklfuDkbtZHQvvFOq_Zfbro-Yy7LvEsq3Kpga_VDuLX-vyjTiAcb7qu8Uwe3SYYlHHn2PAgShN6g74zjgOEySwZ5SFdvJv7ULsG5dHG8XhVjnAauSVo0aHO_6EwE5MB1Pw39DOroNmcX-0A?testcase_id=5405346202124288 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by brajkumar@chromium.org
, Jul 13 2016Labels: -Pri-1 findit-wrong Te-Logged Pri-2
Owner: tasak@chromium.org
Status: Assigned (was: Available)