count <= maxElementCountInBackingStore<T>() in PartitionAllocator.h |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6123230877450240 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: count <= maxElementCountInBackingStore<T>() in PartitionAllocator.h blink::PaintLayer::collectFragments blink::PaintLayer::hitTestTransformedLayerInFragments Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=443258:443393 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94lIekllfR7SMED__AuQ6uj0u6gGIZpGtKzha4QLF3bm-LclKsHCVYADplRIZTf8XRc4wJAcf7XZDSFPpVzmS3OCE9jAOqfOpO0pQpVXVaM7_61iPRnRj4fkb-gPTBUlogsfMUV_nXY-uo-GnVREDQDTqgb10CyVYca4GN4htMZhxK6-H_XINIjKO0Sa9XXbmEzbblx7MzEvBtGuE4SfijSEyyXwJisyT6Wpo_jyUsOWW396SqL5KyNzzzFESMzA0LHXLh5CLJzFvc2B3fmOEoErO5nooEMchHkJvGyyaiiJ1_22ikpSWPsJWycFPlPtOUUTJaWEeTSp2sEFhhNJJIePVoqQgbshSJ7RE0L4FKPtrfaA0w?testcase_id=6123230877450240 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Feb 27 2017
Tentatively adding "Paint" as component. (The CL referred to in #1 ought to be passed over when picking out suspected CLs, it merely changed the nature of that release assert. And it is "leaf" allocation code, so it triggers in numerous contexts.)
,
Feb 27 2017
,
Feb 28 2017
,
Apr 20 2017
ClusterFuzz has detected this issue as fixed in range 465517:465539. Detailed report: https://clusterfuzz.com/testcase?key=6123230877450240 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: count <= maxElementCountInBackingStore<T>() in PartitionAllocator.h blink::PaintLayer::collectFragments blink::PaintLayer::hitTestTransformedLayerInFragments Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=443258:443393 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=465517:465539 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97zUQ454f2ME5M9e_y5MW81e-G_C0wIgI1T5nt6aIxhUSUCzrikOK2FHj1Tk8bZtn5vCD9CHVfgELzhlcDjZ0CLEUr6_GNyOVjMx8zkyBfRHLfE0569JFEUCyfy0aG1tadUTHqtVmlTsSrytzCdEEisKdIbW7pYiPBPkcNp4HV0OapQ9fxGfs_sNBYHQR2vBucCrJMComHNafeZhokZNJO7ARNjBSsa3dBFC5YKpkXWr-4mKRijG3qy2XVqYY0pyf7gT-lTCvj0GNWA7oo7F0OtFgPoJ2qSN32xhCgPYeyuBeF6zyDaSVixJRO-ya8AioKUzG0kUl_xoRQCiheCug3kfxUD0az2sR5uSG7wB_YLhpCbmkiFAkZexJ1xt-MgzyKAs-0ohxNVitqNJQXArekjqAOuGQ?testcase_id=6123230877450240 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 20 2017
ClusterFuzz testcase 6123230877450240 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by msrchandra@chromium.org
, Feb 27 2017Labels: Test-Predator-Wrong M-57
Owner: sigbjo...@opera.com
Status: Assigned (was: Untriaged)