isStatic() || m_verifier.onRef(m_refCount). foo in StringImpl.h |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4574778917912576 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: isStatic() || m_verifier.onRef(m_refCount). foo in StringImpl.h blink::QualifiedName::toString blink::Element::nodeName Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=444017:444038 Minimized Testcase (0.40 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97w3SkAYSVz35icgqggdEX3WPvFxTAQX3IZXo2qD-SuaMf_Xsm5_XXzmPxfXeKhzihe9r_QEaNizkf2j26eWx0rp9UufaqpVOnCPXEQMLpoX6avbq6LvL7x6is_cBj-oOvrpNZ9kNI4fINQHs66VCD2-oMDrUFWPm0oSsHbQgMeDmqIfko6isqT3TOvRGEyAku345wmLvgr1_uwL16rr3An706fbvEkqWXdiYQJBbRAGQ8WtnZ20okJXJT1OlH8gLmBNBDEeNgZw9ocFt1i1MzDEwEURa2k0Z5M1q1749W7UqW-KS_bN00gA0xUjyCMrGRKs_XDj9T1-exo53v3TEUlNCLFho6lfssAb1wdoqJzazQAJZQ?testcase_id=4574778917912576 <body style="shape-rendering: optimizeQuality; backface-visibility: hidden; "</style><style> .c14 { list-style-type: ethiopic-halehame-ti-er;234); position: absolute;</style><script> var docElement = document.body ? document.body : document.documentElement; tCF53 = document.createElementNS("http://www.w3.org/1998/Math/MathML", "foo"); tCF53.setAttribute("class", "c14"); docElement.appendChild(tCF53); </script> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 18 2017
This is blocked on issue 545926 unless we do some special hack like we did in Node::debugName (appendUnsafe). ccing owner of that issue (dominicc), and esprehn.
,
Jan 19 2017
csharrison, thank you for the FYI. Feel free to poach Issue 545926 if I'm in the way!
,
Jan 20 2017
Going to merge this into issue 545926, and mark that one as available.
,
May 5 2017
ClusterFuzz has detected this issue as fixed in range 469308:469332. Detailed report: https://clusterfuzz.com/testcase?key=4574778917912576 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: isStatic() || m_verifier.onRef(m_refCount). foo in StringImpl.h blink::QualifiedName::toString blink::Element::nodeName Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=444017:444038 Fixed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=469308:469332 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4574778917912576 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 5 2017
Redoing the job. This report confuses me. For PushPropertiesTo to TakeDebugInfo in a debug build, we need to be tracing layer tree snapshots. Do clusterfuzz runs ever have tracing enabled? cc Ned who is in the fixed range, but I don't think clusterfuzz uses any sort of perf test runner.
,
May 5 2017
Yeah, I don't think my commit is related at all. It doesn't touch chromium binary.
,
May 5 2017
Yeah it was mostly a shot in the dark, just thinking of some way how this test could stop tracing layer tree snapshots.
,
May 6 2017
ClusterFuzz has detected this issue as fixed in range 469308:469332. Detailed report: https://clusterfuzz.com/testcase?key=4574778917912576 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: IsStatic() || verifier_.OnRef(ref_count_). foo in StringImpl.h blink::QualifiedName::ToString blink::Element::nodeName Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=444017:444038 Fixed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=469308:469332 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4574778917912576 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by msrchandra@chromium.org
, Jan 18 2017Labels: Test-Predator-Wrong
Owner: csharrison@chromium.org
Status: Assigned (was: Untriaged)