New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 627805 link

Starred by 1 user
Status: WontFix
Owner:
dominicc@chromium.org
Last visit > 30 days ago
Closed: Jul 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Crash in blink::Text::wholeText

Project Member Reported by ClusterFuzz, Jul 13 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5405346202124288

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: UNKNOWN WRITE
Crash Address: 0x0000fbadbeef
Crash State:
  blink::Text::wholeText
  blink::TextV8Internal::wholeTextAttributeGetterCallback
  v8::internal::FunctionCallbackArguments::Call
  

Minimized Testcase (1.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96H-nGd_c2KvWEYklfuDkbtZHQvvFOq_Zfbro-Yy7LvEsq3Kpga_VDuLX-vyjTiAcb7qu8Uwe3SYYlHHn2PAgShN6g74zjgOEySwZ5SFdvJv7ULsG5dHG8XhVjnAauSVo0aHO_6EwE5MB1Pw39DOroNmcX-0A?testcase_id=5405346202124288

Filer: brajkumar

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by brajkumar@chromium.org, Jul 13 2016

Components: Blink
Labels: -Pri-1 findit-wrong Te-Logged Pri-2
Owner: tasak@chromium.org
Status: Assigned (was: Available)
Through code search on file "Text.h" from frame #0 suspecting the below change
Review URL: https://codereview.chromium.org/1074703002


tasak@ - Could you please check if this is caused with respect to this change, if not please help us in reassign the issue to the right owner.

Thanks!

Comment 2 by dtapu...@chromium.org, Jul 13 2016

Components: -Blink Blink>DOM

Comment 3 by dominicc@chromium.org, Jul 15 2016

Owner: dominicc@chromium.org
Status: WontFix (was: Assigned)
dtapuska, when you see ClusterFuzz crashes in wholeText you should look at the repro code (follow the Detailed Report link, then Minimized Test Case/View link.)

If the repro contains code like this:

var str="z";
for (var i = 0; i < 16; i++) {
    str += str;
}
for (var i = 0; i < 1+(1<<16); i++){
    var txt = document.createTextNode(str);
    styleElement.appendChild(txt);
}

The loops are the giveaway. They are just allocating a ton of memory (the first one makes a string that's 2^16 characters ~65K long; the second one appends that to a style element 2^16 times. So that's gigabytes of strings.)

It's probably OK to ignore these.
Project Member

Comment 4 by ClusterFuzz, Sep 23 2016 

ClusterFuzz has detected this issue as fixed in range 420372:420465.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5405346202124288

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: UNKNOWN WRITE
Crash Address: 0x0000fbadbeef
Crash State:
  blink::Text::wholeText
  blink::TextV8Internal::wholeTextAttributeGetterCallback
  v8::internal::FunctionCallbackArguments::Call
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=420372:420465

Minimized Testcase (1.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96H-nGd_c2KvWEYklfuDkbtZHQvvFOq_Zfbro-Yy7LvEsq3Kpga_VDuLX-vyjTiAcb7qu8Uwe3SYYlHHn2PAgShN6g74zjgOEySwZ5SFdvJv7ULsG5dHG8XhVjnAauSVo0aHO_6EwE5MB1Pw39DOroNmcX-0A?testcase_id=5405346202124288

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment