false in HTMLTreeBuilder.cpp |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5976740532060160 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: false in HTMLTreeBuilder.cpp blink::HTMLTreeBuilder::processStartTag blink::HTMLTreeBuilder::processToken Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=443258:443393 Minimized Testcase (0.03 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97BtSMKWew7rigv2albQQaGN2HkYUC2FUYWAx6Q-VyhWeasNaXtW-2A3vmwWICQ5Vux0HdCG_jp0YSvPZH31j_O2PD1M1tlpZC_haa9a4QHwsmXzHdNeRxNf1Q8O3soQHkelA35Qa9NDwEvNvWn-TS0iFtqMGvmwa0-0cQS_n37wKMgY8XDxqwBWkX_flGUzORZ9GZCJBa8Ij27cRWd8U9HP5b-0xGRyjM5xhGt-bno6RfnvvK8khq_KtG2BGS9wn82kUnMv9XNumWhuP2SCZls9M3VWdSXa_GPWSeLG_WCraTp-MLmMgmG4rVSFmvicKIeo5_1kC3tsvo2IvP3uFYBIPwwD5er0O8fmbiJc1NfaMgUe2Q?testcase_id=5976740532060160 <svg> <desc> <style> <feTurbulence> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 19 2017
,
Jan 19 2017
It's hitting the ASSERT_NOT_REACHED() in the TextMode case.
,
Jan 19 2017
It happens before 4cdc1820.
,
Jan 19 2017
Reassigning to kouhei (from core/html/parser/OWNERS) because this issue still reproduces before my patch. It looks like <style> is putting the parser in text mode (because it's expecting a stylesheet), but is still getting the <feTurbulence> start tag processed.
,
Jul 1 2017
ClusterFuzz testcase 5976740532060160 is flaky and no longer reproduces, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by mummare...@chromium.org
, Jan 17 2017Labels: Test-Predator-Wrong M-57
Owner: jbroman@chromium.org
Status: Assigned (was: Untriaged)