Stack-overflow in blink::StyleResolver::styleSharingList |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6422423965794304 Fuzzer: attekett_dom_fuzzer Job Type: mac_asan_chrome Platform Id: mac Crash Type: Stack-overflow Crash Address: 0x7fff590a1ff8 Crash State: blink::StyleResolver::styleSharingList blink::StyleResolver::addToStyleSharingList blink::SharedStyleFinder::findElementForStyleSharing Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=428618:428619 Minimized Testcase (0.21 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96KCFtkNWVUZllrz7WyROdbeUY_W3RhX-18N_NrPmR1C9sq4FNtaMZ_KtxbQ3Qwf8xlDnxzIzipLaoz-o-pzXLxGYxrFcaI-AzAd1i0rYZXIXPqcpgvF22IWWpRc-OUnKph_Ai7OTM2LrSdOL3wx_8TSy67NA?testcase_id=6422423965794304 <body> <script> { } depth = 100000; var lastParent = document.body for (var x = 0; x < depth; x++) { var div = document.createElement("div"); lastParent.appendChild(div); lastParent = div; } </script> Issue manually filed by: alancutter See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 23 2016
This report suggests it is a regression but is only giving a single patch, which seems completely unrelated, in the regression range. So I'll leave it as Type=Bug.
,
Nov 23 2016
,
Nov 24 2016
ClusterFuzz has detected this issue as fixed in range 434178:434216. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6422423965794304 Fuzzer: attekett_dom_fuzzer Job Type: mac_asan_chrome Platform Id: mac Crash Type: Stack-overflow Crash Address: 0x7fff590a1ff8 Crash State: blink::StyleResolver::styleSharingList blink::StyleResolver::addToStyleSharingList blink::SharedStyleFinder::findElementForStyleSharing Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=428618:428619 Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=434178:434216 Minimized Testcase (0.21 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96KCFtkNWVUZllrz7WyROdbeUY_W3RhX-18N_NrPmR1C9sq4FNtaMZ_KtxbQ3Qwf8xlDnxzIzipLaoz-o-pzXLxGYxrFcaI-AzAd1i0rYZXIXPqcpgvF22IWWpRc-OUnKph_Ai7OTM2LrSdOL3wx_8TSy67NA?testcase_id=6422423965794304 <body> <script> { } depth = 100000; var lastParent = document.body for (var x = 0; x < depth; x++) { var div = document.createElement("div"); lastParent.appendChild(div); lastParent = div; } </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 24 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 8 2016
|
||||
►
Sign in to add a comment |
||||
Comment 1 by alancutter@chromium.org
, Nov 23 2016Labels: -Pri-1 Pri-2