count <= maxElementCountInBackingStore<T>() in HeapAllocator.h |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4732247593975808 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: count <= maxElementCountInBackingStore<T>() in HeapAllocator.h blink::UndoStep::append blink::CompositeEditCommand::applyCommandToComposite Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=444327:444338 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95v7aXbw57-prALtEhDiOO20TCTtspa0I5RkF1ANMGj0b65cyEeupQM69lfNJG9zoShr1FMgP_cFkXAGJgGhLEJrJYtuu5Y8xPMOV_NauJOp7Otee5mRJOSFqqLfAdfgzo2kvmsUDUvGKPM-hJNHhtsAWdmGYjFtRdIfR1SCyDUZOqIez9f41DCKDyZ5PJfa2DqwNU3qYFBXkqkYaheADkjmBOsZZDuPXTGOjHpWNbx_hk4Evup_ciq5wDkd8m8vD4QGFSc89Y0VhAJ3XT3KTMlUShaEhYwQLQp-vIa5LFjShr7ev8Nt66L2gXEA__nsJZ3haM3W4yLnuZ-L-LFVY_hbO9xXH4_WU9veLRRIeNZNfdd1bg?testcase_id=4732247593975808 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 13 2017
It seems we put 1M+ undo step into undo stack. Infinite loop? maxElementCountInBackingStore<UndoStep>() = maxHeapObjectSize / sizeof(UndoStep) const size_t maxHeapObjectSizeLog2 = 27; const size_t maxHeapObjectSize = 1 << maxHeapObjectSizeLog2;
,
Mar 13 2017
Mark WontFix since the script attempts to create 10,451,671 UndoStep. It isn't usual case. |
|||
►
Sign in to add a comment |
|||
Comment 1 by sigbjo...@opera.com
, Mar 12 2017