Issue 628558 link

Starred by 1 user

Issue metadata

Status:	Assigned
Owner:	kouhei@chromium.org
Components:	Blink>HTML>Parser
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	2
Type:	Bug

HTMLTreeBuilder::processStartTag crashes at ASSERT_NOT_REACHED

Project Member Reported by yukishiino@chromium.org, Jul 15 2016

Issue description

Version: ToT (Version 54.0.2798.0 (64-bit) )

What steps will reproduce the problem?
(1) Open the attached html on DEBUG build.
(2) Browser crashes with ASSERT_NOT_REACHED();

The issue was originally reported at
https://bugs.chromium.org/p/chromium/issues/detail?id=459380#c32

======== original report ========
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4567749313691648

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT_NOT_REACHED
Crash Address: 
Crash State:
  blink::HTMLTreeBuilder::processStartTag
  blink::HTMLTreeBuilder::processToken
  blink::HTMLTreeBuilder::constructTree
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=268656:269696

Minimized Testcase (0.04 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95W8AXm2kRmGksW1yDpF6fbmYp3IaY_ld_F5VIBZaqp98yZScoGlOgsApF6nTbbJK3lw8uKbFATRHSOaXLk22INftkIUQ1cIEgpEuB7HBC95KVj4BNRjWOyVllYFDiyOFd77sBaosgtXff5MBd2WMgBE5_y9w?testcase_id=4567749313691648
<svg>
	<desc    }</style>
</body><style>
<p>


Additional requirements: Requires Gestures

Filer: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

fuzz-twister-tspan-outline1468383004.64.html
44 bytes View Download

Comment 1 by kouhei@chromium.org, Jul 15 2016

Owner: kouhei@chromium.org
Status: Assigned (was: Untriaged)

►

Issue 628558 link

Issue metadata

HTMLTreeBuilder::processStartTag crashes at ASSERT_NOT_REACHED

Issue description

Comment 1 by kouhei@chromium.org, Jul 15 2016

Comment 1 Deleted

Sign in to add a comment