Issue 691276 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 692889
Owner:	█ sigbjo...@opera.com Email to this user bounced
Closed:	Feb 2017
Cc:	█ msrchandra@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Reproducible Clusterfuzz M-57 Test-Predator-Wrong

count <= maxElementCountInBackingStore<T>() in PartitionAllocator.h

Project Member Reported by ClusterFuzz, Feb 11 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4901817625608192

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  count <= maxElementCountInBackingStore<T>() in PartitionAllocator.h
  blink::Node::textContent
  blink::InspectorStyleSheet::inlineStyleSheetText
  
Sanitizer: cfi (CFI)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=443341:443411

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94YeNz4nUBqlVf5UuCSsQDnwymBLmkWl6d5X9h3v8IaMIuoXoWbIYSbu34c2QymjVY_EbbTewdW2IX1yhnKZqR5wy0oeziv6UH89aYTuc0IYnt-AimzmCDiCAlNyzXYtYE_PER6fkQ6TieZvv9Od24bmwM49v4F548ACR039MJ6us6N29qohQjMmv0NblB8FF4oXMOZkYZXhBv0qnPLMQhbujYodMP_hkxQLalLnQifnSXN3PuN0HRXzbfFpkbpCrBLUyZgyr7wG0xKWdR6yNXCKeRaOM18gu72MjYS-8AFwnIFoy4Kr39P3S4o7QyXjFzv03Lfz4RjkxVytLURIk2t2LV5HTcuFBOfxJoiPAk8zuwKK0EkhQm2w3dvXOaJwvybsXRaPSXbRtI9NtNAFXywyY4MRA?testcase_id=4901817625608192


Additional requirements: Requires Gestures

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Feb 13 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Wrong M-57
Owner: sigbjo...@opera.com
Status: Assigned (was: Untriaged)

Predator and CL did not find any possible suspects.
Using Code Search for the file, "PartitionAllocator.h" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/4da5a6bc55b8e3909b98f3e0f23d7c5d0cb9ecb8

@sigbjornf -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by sigbjo...@opera.com, Feb 17 2017

Mergedinto: 692889
Status: Duplicate (was: Assigned)

Project Member

Comment 3 by ClusterFuzz, Mar 25 2017

ClusterFuzz has detected this issue as fixed in range 459433:459517.

Detailed report: https://clusterfuzz.com/testcase?key=4901817625608192

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  count <= maxElementCountInBackingStore<T>() in PartitionAllocator.h
  blink::Node::textContent
  blink::InspectorStyleSheet::inlineStyleSheetText
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=443341:443411
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=459433:459517

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95mhmJBPDfGa5G_9GQ74vgSzAGh8tV-v8dBK689F6fkyIuEC8jMxzHX68fYlsOlaXVvWSeqL9QPfgRV09lT7fpCXMz-HnmHE5s5MLlv0vHgiEGDC3Ky6S8A8wJr8Sl-LRtebkcZvK6N0wu0Ko72PluTWH5t-O5ZjggrIAul6eWIfR9fbxdKhbyPNicz3ru1-l64iH827PNkBP-tnecO4Sljd1l1wZ0cpse-9lfpZyBM9QIV0VrPCrynGge1Ww9lNXN3SdQrVVXXTfweIUb5fYm9AdtX-VDKKqdQZyYOMTII3r4UJ6EiWs-e3KLT5yKntGi-_TDR2qXxsWDeN8_FgkadtqATwrx8LsQyZdtqvn5Qe3ZECee42plFXdwFjs1PLZ4s9C3bhu2qU5nE8APM5U1lqdBU7w?testcase_id=4901817625608192


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

►

Issue 691276 link

Issue metadata

count <= maxElementCountInBackingStore<T>() in PartitionAllocator.h

Issue description

Comment 1 by msrchandra@chromium.org, Feb 13 2017

Comment 1 Deleted

Comment 2 by sigbjo...@opera.com, Feb 17 2017

Comment 2 Deleted

Comment 3 by ClusterFuzz, Mar 25 2017

Comment 3 Deleted

Sign in to add a comment