Integer-overflow in blink::operator- |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6678886647857152 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::operator- blink::FrameView::contentsToFrame blink::FrameView::contentsToFrame Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.61 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94KR8fcwTAofYusNWRvMK0AU9BrqenwZEDwQjXv4wp0Y6j96ZLyH-oYJwCnKllVpOja_y-u1qW3QKE16FNRQ-2WFsmBm5dpUNS5o3OnNtmURgkTr-bo91Do0Bo1ZqQS_Gopl0ZxgXSesBiK7UPio0nWgZpAXg?testcase_id=6678886647857152 Additional requirements: Requires HTTP Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 12 2016
Full stack traces from my local build below. Sounds both selection and compositing related, setting component accordingly.
../../third_party/WebKit/Source/platform/geometry/IntPoint.h:141:46: runtime error: signed integer overflow: -2147483648 - 90 cannot be represented in type 'int'
#0 0x4428bb9 in ?? ./out/ubsan/../../third_party/WebKit/Source/platform/geometry/IntPoint.h:141:46
#1 0x4e27ebf in contentsToFrame ./out/ubsan/../../third_party/WebKit/Source/core/frame/FrameView.cpp:3684:32
#2 0x4e27f18 in contentsToFrame ./out/ubsan/../../third_party/WebKit/Source/core/frame/FrameView.cpp:3689:20
#3 0x4e28330 in contentsToViewport ./out/ubsan/../../third_party/WebKit/Source/core/frame/FrameView.cpp:3752:27
#4 0x43f7bcf in selectionBounds ./out/ubsan/../../third_party/WebKit/Source/web/WebViewImpl.cpp:2647:34
#5 0x3e46bc2 in GetSelectionBounds ./out/ubsan/../../content/renderer/render_widget.cc:1728:15
#6 0x3e418be in UpdateSelectionBounds ./out/ubsan/../../content/renderer/render_widget.cc:1757:5
#7 0x3e41686 in WillBeginCompositorFrame ./out/ubsan/../../content/renderer/render_widget.cc:818:3
#8 0x2ddb0bd in BeginMainFrame ./out/ubsan/../../cc/trees/proxy_main.cc:192:21
#9 0x2defab0 in Invoke<const base::WeakPtr<cc::ProxyMain> &, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > ./out/ubsan/../../base/bind_internal.h:214:12
#10 0x2def9bf in RunImpl<void (cc::ProxyMain::*const &)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), const std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > > &, 0, 1> ./out/ubsan/../../base/bind_internal.h:346:12
#11 0x22e6bff in RunTask ./out/ubsan/../../base/debug/task_annotator.cc:54:21
#12 0x42e3aef in ProcessTaskFromWorkQueue ./out/ubsan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:315:19
#13 0x42e1da3 in DoWork ./out/ubsan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:218:13
#14 0x22e6bff in RunTask ./out/ubsan/../../base/debug/task_annotator.cc:54:21
#15 0x220ffbf in RunTask ./out/ubsan/../../base/message_loop/message_loop.cc:496:19
#16 0x221090d in DeferOrRunPendingTask ./out/ubsan/../../base/message_loop/message_loop.cc:505:5
#17 0x2211546 in DoWork ./out/ubsan/../../base/message_loop/message_loop.cc:629:13
#18 0x221b1f6 in Run ./out/ubsan/../../base/message_loop/message_pump_default.cc:35:31
#19 0x225052c in ?? ./out/ubsan/../../base/run_loop.cc:35:10
#20 0x3e57681 in RendererMain ./out/ubsan/../../content/renderer/renderer_main.cc:198:23
#21 0x17e6a90 in RunZygote ./out/ubsan/../../content/app/content_main_runner.cc:343:14
#22 0x17e8fbc in Run ./out/ubsan/../../content/app/content_main_runner.cc:785:12
#23 0x17de838 in ContentMain ./out/ubsan/../../content/app/content_main.cc:20:28
#24 0x441e69 in main ./out/ubsan/../../content/shell/app/shell_main.cc:48:10
#25 0x7f42ee2b3f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0
#26 0x427390 in _start ??:?
../../third_party/WebKit/Source/platform/geometry/IntPoint.h:136:26: runtime error: signed integer overflow: 2147483647 - -2147483648 cannot be represented in type 'int'
#0 0x419aecb in ?? ./out/ubsan/../../third_party/WebKit/Source/platform/geometry/IntPoint.h:136:26
#1 0x419ac05 in enclosingIntRect ./out/ubsan/../../third_party/WebKit/Source/platform/geometry/FloatRect.cpp:217:39
#2 0x540e292 in updateRecursive ./out/ubsan/../../third_party/WebKit/Source/core/layout/compositing/CompositingInputsUpdater.cpp:134:53
#3 0x540eb22 in updateRecursive ./out/ubsan/../../third_party/WebKit/Source/core/layout/compositing/CompositingInputsUpdater.cpp:199:9
#4 0x540eb22 in updateRecursive ./out/ubsan/../../third_party/WebKit/Source/core/layout/compositing/CompositingInputsUpdater.cpp:199:9
#5 0x540dee6 in update ./out/ubsan/../../third_party/WebKit/Source/core/layout/compositing/CompositingInputsUpdater.cpp:30:5
#6 0x5271c28 in updateIfNeeded ./out/ubsan/../../third_party/WebKit/Source/core/layout/compositing/PaintLayerCompositor.cpp:378:46
#7 0x52716c6 in updateIfNeededRecursiveInternal ./out/ubsan/../../third_party/WebKit/Source/core/layout/compositing/PaintLayerCompositor.cpp:243:5
#8 0x52713a6 in updateIfNeededRecursive ./out/ubsan/../../third_party/WebKit/Source/core/layout/compositing/PaintLayerCompositor.cpp:205:5
#9 0x4e2081c in updateLifecyclePhasesInternal ./out/ubsan/../../third_party/WebKit/Source/core/frame/FrameView.cpp:2554:32
#10 0x500b118 in updateAllLifecyclePhases ./out/ubsan/../../third_party/WebKit/Source/core/page/PageAnimator.cpp:85:11
#11 0x43f0109 in updateAllLifecyclePhases ./out/ubsan/../../third_party/WebKit/Source/web/WebViewImpl.cpp:2017:5
#12 0x2ddb1d9 in BeginMainFrame ./out/ubsan/../../cc/trees/proxy_main.cc:203:21
#13 0x2defab0 in Invoke<const base::WeakPtr<cc::ProxyMain> &, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > ./out/ubsan/../../base/bind_internal.h:214:12
#14 0x2def9bf in RunImpl<void (cc::ProxyMain::*const &)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), const std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > > &, 0, 1> ./out/ubsan/../../base/bind_internal.h:346:12
#15 0x22e6bff in RunTask ./out/ubsan/../../base/debug/task_annotator.cc:54:21
#16 0x42e3aef in ProcessTaskFromWorkQueue ./out/ubsan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:315:19
#17 0x42e1da3 in DoWork ./out/ubsan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:218:13
#18 0x22e6bff in RunTask ./out/ubsan/../../base/debug/task_annotator.cc:54:21
#19 0x220ffbf in RunTask ./out/ubsan/../../base/message_loop/message_loop.cc:496:19
#20 0x221090d in DeferOrRunPendingTask ./out/ubsan/../../base/message_loop/message_loop.cc:505:5
#21 0x2211546 in DoWork ./out/ubsan/../../base/message_loop/message_loop.cc:629:13
#22 0x221b1f6 in Run ./out/ubsan/../../base/message_loop/message_pump_default.cc:35:31
#23 0x225052c in ?? ./out/ubsan/../../base/run_loop.cc:35:10
#24 0x3e57681 in RendererMain ./out/ubsan/../../content/renderer/renderer_main.cc:198:23
#25 0x17e6a90 in RunZygote ./out/ubsan/../../content/app/content_main_runner.cc:343:14
#26 0x17e8fbc in Run ./out/ubsan/../../content/app/content_main_runner.cc:785:12
#27 0x17de838 in ContentMain ./out/ubsan/../../content/app/content_main.cc:20:28
#28 0x441e69 in main ./out/ubsan/../../content/shell/app/shell_main.cc:48:10
#29 0x7f42ee2b3f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0
#30 0x427390 in _start ??:?
,
Aug 15 2016
Either scale(-1, 18446744073709551590) or margin-top: 65287pt may cause integer overflow.
,
Aug 15 2016
,
Aug 16 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5925515603214336 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::operator- blink::FrameView::contentsToFrame blink::FrameView::contentsToFrame Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=410031:410187 Minimized Testcase (0.46 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95f00wU5DZT4Vdbg18BMwWOD5Y0H69RKmVkz_zqOHAz7R-ueKTqij8egPvTzqZf43XQOo6T2KrjnG4DKJSclzwXQXsgDZ9OAvW7_ByYI49T11h8TobYwVJV7UXIs1YCit2B7EpPS6CjDqoRjAVMvsakBeQclQ?testcase_id=5925515603214336 Additional requirements: Requires HTTP Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 11 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 22 2016
ClusterFuzz testcase 5925515603214336 is flaky and no longer reproduces, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ssamanoori@chromium.org
, Aug 11 2016