New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 682089 link

Starred by 2 users
Status: Duplicate
Owner:
csharrison@chromium.org
Closed: Jan 2017
Cc:
dominicc@chromium.org
msrchandra@chromium.org
esprehn@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug

Blocked on:
issue 545926


Sign in to add a comment

isStatic() || m_verifier.onRef(m_refCount). foo in StringImpl.h

Project Member Reported by ClusterFuzz, Jan 18 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4574778917912576

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  isStatic() || m_verifier.onRef(m_refCount). foo in StringImpl.h
  blink::QualifiedName::toString
  blink::Element::nodeName
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=444017:444038

Minimized Testcase (0.40 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97w3SkAYSVz35icgqggdEX3WPvFxTAQX3IZXo2qD-SuaMf_Xsm5_XXzmPxfXeKhzihe9r_QEaNizkf2j26eWx0rp9UufaqpVOnCPXEQMLpoX6avbq6LvL7x6is_cBj-oOvrpNZ9kNI4fINQHs66VCD2-oMDrUFWPm0oSsHbQgMeDmqIfko6isqT3TOvRGEyAku345wmLvgr1_uwL16rr3An706fbvEkqWXdiYQJBbRAGQ8WtnZ20okJXJT1OlH8gLmBNBDEeNgZw9ocFt1i1MzDEwEURa2k0Z5M1q1749W7UqW-KS_bN00gA0xUjyCMrGRKs_XDj9T1-exo53v3TEUlNCLFho6lfssAb1wdoqJzazQAJZQ?testcase_id=4574778917912576
<body style="shape-rendering: optimizeQuality; backface-visibility: hidden; "</style><style>
.c14 { list-style-type: ethiopic-halehame-ti-er;234); position: absolute;</style><script>
var docElement = document.body ? document.body : document.documentElement;
tCF53 = document.createElementNS("http://www.w3.org/1998/Math/MathML", "foo");
tCF53.setAttribute("class", "c14");
docElement.appendChild(tCF53);
</script>


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Jan 18 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Wrong
Owner: csharrison@chromium.org
Status: Assigned (was: Untriaged)
Find it and CL did not provide any possible suspects.
Using Code Search for the file, "StringImpl.h" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/67786570f5237e940df0356546f36ad230f5cd45

@csharrison -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by csharrison@chromium.org, Jan 18 2017

Blockedon: 545926
Cc: esprehn@chromium.org dominicc@chromium.org
This is blocked on issue 545926 unless we do some special hack like we did in Node::debugName (appendUnsafe).

ccing owner of that issue (dominicc), and esprehn.

Comment 3 by dominicc@chromium.org, Jan 19 2017 

csharrison, thank you for the FYI. Feel free to poach Issue 545926 if I'm in the way!

Comment 4 by csharrison@chromium.org, Jan 20 2017

Mergedinto: 545926
Status: Duplicate (was: Assigned)
Going to merge this into issue 545926, and mark that one as available.
Project Member

Comment 5 by ClusterFuzz, May 5 2017 

ClusterFuzz has detected this issue as fixed in range 469308:469332.

Detailed report: https://clusterfuzz.com/testcase?key=4574778917912576

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  isStatic() || m_verifier.onRef(m_refCount). foo in StringImpl.h
  blink::QualifiedName::toString
  blink::Element::nodeName
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=444017:444038
Fixed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=469308:469332

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4574778917912576


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 6 by csharrison@chromium.org, May 5 2017

Cc: nednguyen@chromium.org
Redoing the job. This report confuses me. For PushPropertiesTo to TakeDebugInfo in a debug build, we need to be tracing layer tree snapshots.

Do clusterfuzz runs ever have tracing enabled?

cc Ned who is in the fixed range, but I don't think clusterfuzz uses any sort of perf test runner.

Comment 7 by nedngu...@google.com, May 5 2017

Cc: -nednguyen@chromium.org
Yeah, I don't think my commit is related at all. It doesn't touch chromium binary.

Comment 8 by csharrison@chromium.org, May 5 2017 

Yeah it was mostly a shot in the dark, just thinking of some way how this test could stop tracing layer tree snapshots.
Project Member

Comment 9 by ClusterFuzz, May 6 2017 

ClusterFuzz has detected this issue as fixed in range 469308:469332.

Detailed report: https://clusterfuzz.com/testcase?key=4574778917912576

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  IsStatic() || verifier_.OnRef(ref_count_). foo in StringImpl.h
  blink::QualifiedName::ToString
  blink::Element::nodeName
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=444017:444038
Fixed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=469308:469332

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4574778917912576


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment