New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 675360 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner:
Closed: Dec 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Float-cast-overflow in blink::ScrollbarTheme::thumbPosition

Project Member Reported by ClusterFuzz, Dec 17 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5631415787192320

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::ScrollbarTheme::thumbPosition
  thumbPosition
  blink::Scrollbar::offsetDidChange
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085

Minimized Testcase (3.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94hiVBhD8rCOS2G_V5axNXRxYSOhSG8NCt4NoTTuAtFLOV-Q6pA6dgKuuYhyR5npvFxaEelaHCWUnN-Uvrg25fE3vQGRroNNd-mKYvJmYCG648WGocuUTHx55vTf6onU_9vNWkUW0QT-Kgq3BpimAX-vLleXA?testcase_id=5631415787192320

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by tkent@chromium.org, Dec 18 2016

Components: Blink>Scroll
Cc: msrchandra@chromium.org
Labels: Test-Predator-Correct-CLs
Owner: lukasza@chromium.org
Status: Assigned (was: Untriaged)
Using Find it results, assigning the issue to concern owner.
The result is a list of CLs that change the crashed files. 

Author: lukasza
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/3d4638361677cd371c0cea2030499a00c5e8ad13
Time: Fri Dec 02 16:53:36 2016
Lines 280-281 of file ScrollableArea.cpp which potentially caused crash are changed in this cl (frame #3, "blink::ScrollableArea::scrollOffsetChanged"). 

Files LayoutBlockFlow.cpp, PaintLayerScrollableArea.cpp, Scrollbar.cpp are changed in this cl (and is part of stack frame #6, "blink::LayoutBlockFlow::layoutBlock")
Minimum distance from crash line to modified line: 0. (file: ScrollableArea.cpp, crashed on: 280, modified: 280).

@lukasza -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.
Owner: wangxianzhu@chromium.org
wangxianzhu@, could you please take a look?  I see that you've made some fixes in this area in https://crrev.com/1202583003.  FWIW, r435956 (mentioned in #c2) was just a mechanical rename and it shouldn't have affected the product code behavior.  
Cc: skobes@chromium.org
+skobes@ to CC (because I see that you've also made some fixes in this area in https://crrev.com/1601303003).
Status: WontFix (was: Assigned)
It has no actual impact. Will ignore all float-cast-overflow bugs.
Project Member

Comment 6 by ClusterFuzz, Dec 22 2016

ClusterFuzz has detected this issue as fixed in range 440242:440280.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5631415787192320

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::ScrollbarTheme::thumbPosition
  thumbPosition
  blink::Scrollbar::offsetDidChange
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=440242:440280

Minimized Testcase (3.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94hiVBhD8rCOS2G_V5axNXRxYSOhSG8NCt4NoTTuAtFLOV-Q6pA6dgKuuYhyR5npvFxaEelaHCWUnN-Uvrg25fE3vQGRroNNd-mKYvJmYCG648WGocuUTHx55vTf6onU_9vNWkUW0QT-Kgq3BpimAX-vLleXA?testcase_id=5631415787192320

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment