New issue
Advanced search Search tips

Issue 635423 link

Starred by 1 user
Status: WontFix
Owner:
e...@chromium.org
Closed: Aug 2016
Cc:
ajha@chromium.org
tzik@chromium.org
kojii@chromium.org
jsc...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::LazyLineBreakIterator::LazyLineBreakIterator

Project Member Reported by ClusterFuzz, Aug 8 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6086581515714560

Fuzzer: bj_broddelwerk
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x00000001
Crash State:
  blink::LazyLineBreakIterator::LazyLineBreakIterator
  blink::BreakingContext::handleText
  blink::LayoutBlockFlow::layoutInlineChildren
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_no_sandbox&range=410282:410283

Minimized Testcase (0.78 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95yzsyOLGu9f7FQWYbGWP0oIVMULQCVRLPi-wbV8dPaTlka7EdNeJgRFS8ZXz9g9SPcn81EgTqCRSvEkU0kDjSwSeTps3izTI2AowvDMIsZ3Perbd8o9QRSvOTXA2quR5dUg1mo8JYVEgbY5bkw_wEVKiERXQ?testcase_id=6086581515714560

Issue manually filed by: ajha

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ajha@chromium.org, Aug 8 2016

Cc: ajha@chromium.org
Components: Tools>Test>FindIt>NoResult Blink>Layout
Labels: M-54 Te-Logged
Owner: tzik@chromium.org
Status: Assigned (was: Untriaged)
Findit result
===============
Suspected CLs	Findit failed to find any stack trace. Is it in a new format?

From the regression range in the detailed report:https://codereview.chromium.org/2212393003

tzik@: Could you please help in investigating this further or help finding an appropriate owner for this.

Thank you!

Comment 2 by tzik@chromium.org, Aug 9 2016

Cc: tzik@chromium.org
Labels: findit-wrong
Owner: cbiesin...@chromium.org
It's a null pointer access in a layout code.

cbiesinger: Could you handle or reroute this?

Comment 3 by cbiesin...@chromium.org, Aug 9 2016

Cc: kojii@chromium.org
Owner: e...@chromium.org

Comment 4 by kojii@chromium.org, Aug 10 2016 

Didn't reproduce on Linux ASAN, building Win-ASAN.

Comment 5 by kojii@chromium.org, Aug 15 2016 

This is hard to dig into:
* Reproduces only on Win-ASAN. Not on Linux ASAN nor on Win debug/release.
* Win-ASAN (clang) has no debug info, couldn't make printf/DLOG work either.
* Debugger stops at StringView.is8Bit(), but LazyLineBreakIterator doesn't use StringView.
* On Win Debug, break at nextBreakablePositionBreakAll but all variables are good.
Wondering how reliable win-asan is...

Comment 6 by e...@chromium.org, Aug 23 2016

Cc: jsc...@chromium.org
Status: WontFix (was: Assigned)
Given the analysis in comment 5, closing as infeasible.

Comment 7 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>NoResult
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment