New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 629740 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Dec 2016
Cc:
shans@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Stack-overflow in bool blink::ThreadHeap::isHeapObjectAlive<blink::CSSValue>

Project Member Reported by ClusterFuzz, Jul 20 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4985342029725696

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffce517aff8
Crash State:
  bool blink::ThreadHeap::isHeapObjectAlive<blink::CSSValue>
  bool blink::ThreadHeap::isHeapObjectAlive<blink::CSSValue>
  bool blink::ThreadHeap::isHeapObjectAlive<blink::CSSValue>
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=401557:401580

Minimized Testcase (0.30 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96RXFg_VKVZODhP4TQrU_3iljriP0CDqyipUqVUNMqul-4K_teCwzOZq26US-XWMDqAWSrU13UcnHyDyJl7gMWOs2jp4HiNeU1TM1CY1GhJ5gY0wj8lSniqJzCDqdrjBsjvo5Qva0MdH7mlj528W1efh2QZKA?testcase_id=4985342029725696
<style>
    @-webkit-keyframes anim1 {
    0% { 
        opacity: 0.5772; border-image: 26829%;
    } 
    100% {
        opacity: 0.3167;
    }
}
* { 
    -webkit-animation-name: anim1;
    -webkit-animation-duration: 1s;
function alert(s) { console.log("Alert: " + s);
"Loaded __v_176:";
 return __f_27; ;


Filer: shans

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ssamanoori@chromium.org, Aug 5 2016

Components: Blink>CSS
Labels: -ClusterFuzz Clusterfuzz

Comment 2 by nainar@chromium.org, Aug 8 2016

Owner: nainar@chromium.org
Status: Started (was: Available)

Comment 3 by nainar@chromium.org, Aug 9 2016

Components: -Blink>CSS Infra>Client>Oilpan
Owner: ----
Status: (was: Started)
Not an issue with CSS but Oilpan.

Comment 4 by meade@chromium.org, Aug 15 2016

Status: Untriaged

Comment 5 by benhenry@chromium.org, Sep 1 2016

Components: Build
Status: Available (was: Untriaged)
Project Member

Comment 6 by ClusterFuzz, Sep 7 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6392947631456256

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffdd5484ff0
Crash State:
  bool blink::ThreadHeap::isHeapObjectAlive<blink::CSSValue>
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=401557:401580

Minimized Testcase (0.13 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94s_htnmRF_q4DVznp2rC_56PJjCa3Ume4PJ8CFanr2htF5EoAHB2CBCkSietrfI-txiGo_OuLFq2QqINitD7eSJRO0PtUDeoBkGxYxtix84z1WRNStGB6HOSLKd0UbriJtVxFJ5Y6O2M6Arc9XywMJ5BEGEw?testcase_id=6392947631456256
<object id="bs">
    <script>
     bs.animate([{"backgroundClip":"content-box"}, {"backgroundClip":"border-box"}], 2000);
    </script>


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 7 by ClusterFuzz, Nov 4 2016 

ClusterFuzz has detected this issue as fixed in range 429529:429535.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6392947631456256

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffdd5484ff0
Crash State:
  bool blink::ThreadHeap::isHeapObjectAlive<blink::CSSValue>
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=401557:401580
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=429529:429535

Minimized Testcase (0.13 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94s_htnmRF_q4DVznp2rC_56PJjCa3Ume4PJ8CFanr2htF5EoAHB2CBCkSietrfI-txiGo_OuLFq2QqINitD7eSJRO0PtUDeoBkGxYxtix84z1WRNStGB6HOSLKd0UbriJtVxFJ5Y6O2M6Arc9XywMJ5BEGEw?testcase_id=6392947631456256
<object id="bs">
    <script>
     bs.animate([{"backgroundClip":"content-box"}, {"backgroundClip":"border-box"}], 2000);
    </script>


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by ClusterFuzz, Dec 22 2016

Status: WontFix (was: Available)
ClusterFuzz testcase 4985342029725696 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment