New issue
Advanced search Search tips

Issue 656539 link

Starred by 2 users
Status: WontFix
Owner:
haraken@chromium.org
Closed: Oct 2016
Cc:
ajha@chromium.org
thakis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

count <= kGenericMaxDirectMapped / sizeof(T) in PartitionAllocator.h

Project Member Reported by ClusterFuzz, Oct 17 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5643797042298880

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_gpu
Platform Id: linux

Crash Type: Security CHECK failure
Crash Address: 
Crash State:
  count <= kGenericMaxDirectMapped / sizeof(T) in PartitionAllocator.h
  blink::BlobData::appendBytes
  blink::Blob::populateBlobData
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_gpu&range=414680:414692

Minimized Testcase (0.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ckCWK6EPpFwI3zbbktmkLvNdtsPzxJdfvUtrA0HKMumE92KIdksZ7ga9kCcPdt6DunHg-tkZCtDlNDBDRelArHgQ8ksEYyNhlYAJP81CFAoKwILpbCmatsYoSZOYLgPGR1-Mmh8niJ4esAdYRfzbnVIRemw?testcase_id=5643797042298880

Issue manually filed by: ajha

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ajha@chromium.org, Oct 17 2016

Cc: thakis@chromium.org ajha@chromium.org
Components: Blink>MemoryAllocator Tools>Test>FindIt>NoResult
Labels: M-56 Te-Logged
Owner: haraken@chromium.org
Status: Assigned (was: Untriaged)
Suspected CLs	Findit failed to find any stack trace. Is it in a new format?
=============================================================================

Unable to find the exact suspect hence based on code search on 'PartitionAllocator.h', assigning to  listed as one of the owners here: chromium//src/third_party/WebKit/Source/wtf/OWNERS

Comment 2 by haraken@chromium.org, Oct 17 2016

Status: WontFix (was: Assigned)
This is OOM.

Comment 3 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>NoResult
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by ClusterFuzz, Mar 31 2017 

ClusterFuzz has detected this issue as fixed in range 460757:461046.

Detailed report: https://clusterfuzz.com/testcase?key=5643797042298880

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_gpu
Platform Id: linux

Crash Type: Security CHECK failure
Crash Address: 
Crash State:
  count <= kGenericMaxDirectMapped / sizeof(T) in PartitionAllocator.h
  blink::BlobData::appendBytes
  blink::Blob::populateBlobData
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_gpu&range=414680:414692
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_gpu&range=460757:461046

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95wRkVWL66mdgpy2vPqIcwWkg76eGKvU4ZZ8bDR9oCo0_LJqpRcgkcjWm4PNrbGTCxEW4bneVbXRyI82nhAMEU29P5lRSkjKRKoU1DAU_BzO4G4VnfRmMABYAORFZ6qbqHsi9CQOo8sc3p8DyOFDLm-g6yvUczPUy4W9qhbY2hLKcHEptX3tBv0tlMKpGt_For_onGvnDrVhqRqNPgoFGYKnUd-vHJEn-ZcQ7E5lTsOTFRFddj2UGvVPdXx0QIE48RjAA6_QY6W2eb3rlofBfFLkz7cV6rRJbI3YqZpaMA-IKGepg6TnLqeG3p9TV0ak1vMEbnprnvWtG9K9OliTwzocGUzdTIjgtuWqprta67HCrbkSnEdbFzwWCWA7ryAqeC0f9PachWxojGfavZHEXUpvoTaUw?testcase_id=5643797042298880


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment