New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 688703 link

Starred by 2 users
Status: Verified
Owner:
dmu...@chromium.org
Closed: Mar 2017
Cc:
jochen@chromium.org
nyerramilli@chromium.org
sigbjo...@opera.com
jsb...@chromium.org
dmu...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug-Regression



Sign in to add a comment

count <= maxElementCountInBackingStore<T>() in PartitionAllocator.h

Project Member Reported by ClusterFuzz, Feb 4 2017

Comment 1 by nyerramilli@chromium.org, Feb 6 2017

Cc: nyerramilli@chromium.org jochen@chromium.org
Labels: -Type-Bug Test-Predator-Wrong-CLs M-58 Type-Bug-Regression
Owner: esprehn@chromium.org
Status: Assigned (was: Untriaged)
Findit cannot find any culprit results.

assigning to /src/third_party/WebKit/Source/wtf/OWNERS, requesting to check the issue and help.

Comment 2 by esprehn@chromium.org, Feb 14 2017

Cc: jsb...@chromium.org dmu...@chromium.org
Components: Blink>Storage
Owner: ----
Status: Untriaged (was: Assigned)
This looks like a bug in blobs where it's asking us to make a Vector that's too big?

Comment 3 by jsb...@chromium.org, Feb 14 2017

Owner: dmu...@chromium.org
Status: Assigned (was: Untriaged)
dmurph@ - can you look?

Comment 4 by dmu...@chromium.org, Feb 14 2017 

It looks like that test tries to make a 2 gigabyte file object?

shouldBe("new File([new Int16Array(2147483476)], 'world.html').size");

What are we expecting here?

Comment 5 by sigbjo...@opera.com, Feb 17 2017 

 Issue 656539  for the same, but then with a RELEASE_ASSERT().

Comment 6 by jsb...@chromium.org, Feb 21 2017 

It looks like we will throw (rather than OOM/crash) some operations (e.g. TypedArray ctors) if there's insufficient memory. If there's a point during the Blob/File lifecycle where that makes sense we could do something similar.

E.g. when we try and make a copy of the bytes during the construction we could check available memory first and throw.

This would be unspec'd behavior, but we know where the spec editor is so we could propose it.

Comment 7 by sigbjo...@opera.com, Feb 22 2017

Cc: sigbjo...@opera.com
 Issue 694745  has been merged into this issue.
Project Member

Comment 8 by ClusterFuzz, Mar 16 2017

Labels: OS-Linux
Project Member

Comment 9 by ClusterFuzz, Mar 31 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5826146647408640 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by ClusterFuzz, May 12 2017 

ClusterFuzz has detected this issue as fixed in range 471041:471079.

Detailed report: https://clusterfuzz.com/testcase?key=5590039158587392

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: CHECK failure
Crash Address: 
Crash State:
  count <= maxElementCountInBackingStore<T>() in PartitionAllocator.h
  void WTF::Vector<char, 0ul, WTF::PartitionAllocator>::append<char>
  blink::BlobData::appendBytes
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=447465:447478
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=471041:471079

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5590039158587392


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment