New issue
Advanced search Search tips

Issue 643074 link

Starred by 1 user
Status: Verified
Owner:
timloh@chromium.org
Closed: Oct 2016
Cc:
esprehn@chromium.org
style-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Undefined-shift in DiyFpStrtod

Project Member Reported by ClusterFuzz, Sep 1 2016

Comment 1 by msrchandra@chromium.org, Sep 1 2016

Components: Tools>Test>FindIt>NoResult
Labels: findit-wrong Te-Logged
Owner: esprehn@chromium.org
Status: Assigned (was: Untriaged)
Find it did not provide any possible suspect. Providing the results for internal purpose.
Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: commit-queue@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/663104998a680d18be9af4f2fc8c42975924daa4
Time: Fri Sep 02 22:09:34 2011
The CL last changed line 271 of file strtod.cc, which is stack frame 0.

Author: commit-queue@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/663104998a680d18be9af4f2fc8c42975924daa4
Time: Fri Sep 02 22:09:34 2011
The CL last changed line 437 of file strtod.cc, which is stack frame 1.

Author: commit-queue@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/663104998a680d18be9af4f2fc8c42975924daa4
Time: Fri Sep 02 22:09:34 2011
The CL last changed line 596 of file double-conversion.cc, which is stack frame 2.

Author: darin@apple.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/f5f3eda2db7e790c6307747cabbe2552c533fa59
Time: Fri Apr 06 17:31:54 2012
The CL last changed line 48 of file dtoa.h, which is stack frame 3.

Author: darin@apple.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/f5f3eda2db7e790c6307747cabbe2552c533fa59
Time: Fri Apr 06 17:31:54 2012
The CL last changed line 59 of file dtoa.h, which is stack frame 4.

Author: esprehn
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/7dc7c0fc073b84f3050726b52ceec1bbcb304ba3
Time: Fri Jun 10 04:35:59 2016
The CL last changed line 217 of file StringToNumber.cpp, which is stack frame 5.

Author: esprehn
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/7dc7c0fc073b84f3050726b52ceec1bbcb304ba3
Time: Fri Jun 10 04:35:59 2016
The CL last changed line 239 of file StringToNumber.cpp, which is stack frame 6.

Suspected Project: chromium

Unable to find the suspect from CL provided by the regressed range.

Using Code Search for the file "StringToNumber.cpp" assigning to the concern owner.
Suspecting Commit# 7dc7c0fc073b84f3050726b52ceec1bbcb304ba3
Suspecting Review URL# https://codereview.chromium.org/2058613002

@esprehn -- Could you please look into the issue, pardon me if it has nothing to do with your changes and if possible please assign it to the concern owner.
Thank You.

Comment 2 by esprehn@chromium.org, Sep 14 2016

Cc: esprehn@chromium.org
Components: Blink>CSS
Owner: timloh@chromium.org
crazy stylesheet:

body {background:#fff;color:#33̀‰ondi*v { bo())))))))))))))defer))))))))))))9))))))))))3;border-*top:1)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))7777770derlin;7}77e77))))))))) 
)))der-l

Not sure what part of this is causing the undefined shift, but I'm also confused where the large number is. What are the tokens that cause this?
Project Member

Comment 3 by ClusterFuzz, Oct 6 2016 

ClusterFuzz has detected this issue as fixed in range 423338:423416.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5678114141372416

Fuzzer: libfuzzer_stylesheet_contents_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  DiyFpStrtod
  parseDouble
  parseDouble
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=415619:415673
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=423338:423416

Minimized Testcase (0.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96_oKN0YXbQXEwNu6gCml4gLozJ6qwHAivB8Pu7OD_6gBTjmaH2DwBSyJanhkBVw7k5RXnPyCUDV5OzINilTCmVJP-JBgOuVDW_tMVwSqvgT5AxQXqvoEg6BkrEUAnVr-RHbpjUCmwml_O5g85R-2OOfsMYJQ?testcase_id=5678114141372416

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Oct 6 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 5 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>NoResult
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment