Integer-overflow in blink::CounterNode::computeCountInParent |
|||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6035924976926720 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::CounterNode::computeCountInParent blink::CounterNode::insertAfter blink::makeCounterNodeIfNeeded Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95bxLWGa5KeA_b_wojGJCQINpbZVvcEQCdXgOKrfjGUugEPkKRdCar1bzhawnYk4fob2mdasCrwfEurEmmbereJ4lSMmIySrdr5kLrb4_boFbdgMSRgDWTVV9qblsIfVwHy9XOs1eRuCMn3Q4OOn1NEZ_qfIg?testcase_id=6035924976926720 Issue manually filed by: ranjitkan See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 8 2016
Wrong Darin and that CL is from 2007 ;-) -> dglazkov to find a better owner
,
Aug 8 2016
to HTML/DOM team for triage.
,
Aug 12 2016
CounterNode is in layout area.
,
Aug 15 2016
../../third_party/WebKit/Source/core/layout/CounterNode.cpp:152:30: runtime error: signed integer overflow: 2147483647 + 2147483647 cannot be represented in type 'int'
#0 0x541d1c1 in ?? ./out/ubsan/../../third_party/WebKit/Source/core/layout/CounterNode.cpp:152:30
#1 0x541d641 in insertAfter ./out/ubsan/../../third_party/WebKit/Source/core/layout/CounterNode.cpp:275:47
#2 0x51817ea in makeCounterNodeIfNeeded ./out/ubsan/../../third_party/WebKit/Source/core/layout/LayoutCounter.cpp:367:18
#3 0x5182be6 in layoutObjectStyleChanged ./out/ubsan/../../third_party/WebKit/Source/core/layout/LayoutCounter.cpp:606:13
#4 0x51f1f5b in styleDidChange ./out/ubsan/../../third_party/WebKit/Source/core/layout/LayoutObject.cpp:1836:9
#5 0x51770a5 in styleDidChange ./out/ubsan/../../third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp:183:19
#6 0x51c6a54 in styleDidChange ./out/ubsan/../../third_party/WebKit/Source/core/layout/LayoutInline.cpp:153:27
#7 0x51f04d7 in setStyle ./out/ubsan/../../third_party/WebKit/Source/core/layout/LayoutObject.cpp:1705:5
#8 0x47a0a2d in recalcOwnStyle ./out/ubsan/../../third_party/WebKit/Source/core/dom/Element.cpp:1809:27
#9 0x47a02fb in recalcStyle ./out/ubsan/../../third_party/WebKit/Source/core/dom/Element.cpp:1739:22
#10 0x473528c in recalcDescendantStyles ./out/ubsan/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:1215:26
#11 0x47a03ed in recalcStyle ./out/ubsan/../../third_party/WebKit/Source/core/dom/Element.cpp:1755:13
#12 0x473528c in recalcDescendantStyles ./out/ubsan/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:1215:26
#13 0x47a03ed in recalcStyle ./out/ubsan/../../third_party/WebKit/Source/core/dom/Element.cpp:1755:13
#14 0x475d59d in updateStyle ./out/ubsan/../../third_party/WebKit/Source/core/dom/Document.cpp:1800:30
#15 0x4757e1c in updateStyleAndLayoutTree ./out/ubsan/../../third_party/WebKit/Source/core/dom/Document.cpp:1734:5
#16 0x4e46a60 in updateStyleAndLayoutIfNeededRecursiveInternal ./out/ubsan/../../third_party/WebKit/Source/core/frame/FrameView.cpp:2718:26
#17 0x4e45736 in updateStyleAndLayoutIfNeededRecursive ./out/ubsan/../../third_party/WebKit/Source/core/frame/FrameView.cpp:2698:5
#18 0x4e4497e in updateLifecyclePhasesInternal ./out/ubsan/../../third_party/WebKit/Source/core/frame/FrameView.cpp:2544:5
#19 0x502f8a8 in updateAllLifecyclePhases ./out/ubsan/../../third_party/WebKit/Source/core/page/PageAnimator.cpp:85:11
#20 0x4412629 in updateAllLifecyclePhases ./out/ubsan/../../third_party/WebKit/Source/web/WebViewImpl.cpp:2017:5
#21 0x2df78e9 in BeginMainFrame ./out/ubsan/../../cc/trees/proxy_main.cc:203:21
#22 0x2e0c270 in Invoke<const base::WeakPtr<cc::ProxyMain> &, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > ./out/ubsan/../../base/bind_internal.h:214:12
#23 0x2e0c17f in RunImpl<void (cc::ProxyMain::*const &)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), const std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > > &, 0, 1> ./out/ubsan/../../base/bind_internal.h:346:12
#24 0x22fed5f in RunTask ./out/ubsan/../../base/debug/task_annotator.cc:54:21
#25 0x4305fbf in ProcessTaskFromWorkQueue ./out/ubsan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:315:19
#26 0x4304273 in DoWork ./out/ubsan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:218:13
#27 0x22fed5f in RunTask ./out/ubsan/../../base/debug/task_annotator.cc:54:21
#28 0x2227eef in RunTask ./out/ubsan/../../base/message_loop/message_loop.cc:488:19
#29 0x222883d in DeferOrRunPendingTask ./out/ubsan/../../base/message_loop/message_loop.cc:497:5
#30 0x2229476 in DoWork ./out/ubsan/../../base/message_loop/message_loop.cc:621:13
#31 0x2233126 in Run ./out/ubsan/../../base/message_loop/message_pump_default.cc:35:31
#32 0x226860c in ?? ./out/ubsan/../../base/run_loop.cc:35:10
#33 0x3e73fcd in RendererMain ./out/ubsan/../../content/renderer/renderer_main.cc:198:23
#34 0x17fa8f0 in RunZygote ./out/ubsan/../../content/app/content_main_runner.cc:343:14
#35 0x17fce1c in Run ./out/ubsan/../../content/app/content_main_runner.cc:785:12
#36 0x17f26f8 in ContentMain ./out/ubsan/../../content/app/content_main.cc:20:28
#37 0x441e69 in main ./out/ubsan/../../content/shell/app/shell_main.cc:48:10
#38 0x7ff602c17f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0
#39 0x427390 in _start ??:?
That's this line:
int CounterNode::computeCountInParent() const
{
[...]
return m_parent->m_value + increment;
I don't believe this is actually a regression. Also not sure this is actually a bug, though either way we should fix the ubsan/clusterfuzz warning
,
Aug 15 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 5 2017
As per comment#3 ("Non-security int overflows are considered WontFix.") in issue 675464 , closing this issue. please feel free re-open if that is not the case.
Thank you.
,
Jul 14 2017
ClusterFuzz testcase 6035924976926720 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ranjitkan@chromium.org
, Aug 5 2016Components: Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 -Type-Bug M-54 Findit-for-crash Te-Logged Pri-2 Type-Bug-Regression
Owner: darin@chromium.org
Status: Assigned (was: Untriaged)