New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 696221 link

Starred by 1 user
Status: Verified
Owner: ----
Closed: Apr 2017
Cc:
ifratric@google.com
sigbjo...@opera.com
msrchandra@chromium.org
Components:
EstimatedDays: 3
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

count <= maxElementCountInBackingStore<T>() in PartitionAllocator.h

Project Member Reported by ClusterFuzz, Feb 25 2017

Comment 1 by msrchandra@chromium.org, Feb 27 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Wrong M-57
Owner: sigbjo...@opera.com
Status: Assigned (was: Untriaged)
Predator and CL did not find any possible suspects.
Using Code Search for the file, "PartitionAllocator.h" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/4da5a6bc55b8e3909b98f3e0f23d7c5d0cb9ecb8

@sigbjornf -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by sigbjo...@opera.com, Feb 27 2017

Components: Blink>Paint
Tentatively adding "Paint" as component.

(The CL referred to in #1 ought to be passed over when picking out suspected CLs, it merely changed the nature of that release assert. And it is "leaf" allocation code, so it triggers in numerous contexts.)

Comment 3 by schenney@chromium.org, Feb 27 2017

Cc: sigbjo...@opera.com
Components: -Blink>Paint Blink>HitTesting
Labels: ComponentLabelSource-Chromium
Owner: ----
Status: Available (was: Assigned)

Comment 4 by schenney@chromium.org, Feb 28 2017

EstimatedDays: 3
Labels: -ComponentLabelSource-Chromium BugSource-Bot PaintTeamTriaged-20170227 PaintTeamRetriaged
Project Member

Comment 5 by ClusterFuzz, Apr 20 2017 

ClusterFuzz has detected this issue as fixed in range 465517:465539.

Detailed report: https://clusterfuzz.com/testcase?key=6123230877450240

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  count <= maxElementCountInBackingStore<T>() in PartitionAllocator.h
  blink::PaintLayer::collectFragments
  blink::PaintLayer::hitTestTransformedLayerInFragments
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=443258:443393
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=465517:465539

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97zUQ454f2ME5M9e_y5MW81e-G_C0wIgI1T5nt6aIxhUSUCzrikOK2FHj1Tk8bZtn5vCD9CHVfgELzhlcDjZ0CLEUr6_GNyOVjMx8zkyBfRHLfE0569JFEUCyfy0aG1tadUTHqtVmlTsSrytzCdEEisKdIbW7pYiPBPkcNp4HV0OapQ9fxGfs_sNBYHQR2vBucCrJMComHNafeZhokZNJO7ARNjBSsa3dBFC5YKpkXWr-4mKRijG3qy2XVqYY0pyf7gT-lTCvj0GNWA7oo7F0OtFgPoJ2qSN32xhCgPYeyuBeF6zyDaSVixJRO-ya8AioKUzG0kUl_xoRQCiheCug3kfxUD0az2sR5uSG7wB_YLhpCbmkiFAkZexJ1xt-MgzyKAs-0ohxNVitqNJQXArekjqAOuGQ?testcase_id=6123230877450240


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Apr 20 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase 6123230877450240 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment