Issue 712534 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	jochen@chromium.org
Closed:	Apr 2017
Cc:	cbruni@chromium.org █ msrchandra@chromium.org █ dslomov@chromium.org lfg@chromium.org
Components:	Blink>Bindings
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	1
Type:	Bug
Stability-Crash Reproducible Stability-Memory-AddressSanitizer Clusterfuzz M-60 Test-Predator-Wrong-CLs

Crash in blink::ReportFatalErrorInMainThread

Project Member Reported by ClusterFuzz, Apr 18 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4751023664267264

Fuzzer: inferno_canvas_wrecker
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x00000000
Crash State:
  blink::ReportFatalErrorInMainThread
  v8::Uint8ClampedArray::New
  blink::DOMTypedArray<WTF::Uint8ClampedArray,v8::Uint8ClampedArray>::Wrap
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=464127:464504

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96__Rk6OtnCjxmZTWtWdrOvJk4T859vELQJ6pzEhb0p4JmV5H2M2aesEDLfmGsRNH_xjGpMUvG-CM_OyVSOHRgr1Fo2Fv9xjmFFbM2UJDWIXbLhaa3CE38PpmpHtFLn3IrX7v2DAnoNnWIURj6zjzqEDdYgyxWieqRjQ_PMVZ8VRfB3mp9j3Q2tuT8GDZQTnOY-Kt-SWzjqDgfVLp1jqfnUpCP3CKM6WBx8cc-fhjotEUPe2WrvgH8WFTOI-odFeaDqChZemqQ8bsFPrc1tlHGBL4OF6cI4nFDC6NjbLwgOp_6JLtk2pD79N417-nBbtFbjlNLLg3PcUrpa2T040QP5-arcIjYJ6Znva3-TadEX8WFSk68?testcase_id=4751023664267264


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Apr 18 2017

Cc: msrchandra@chromium.org
Components: Blink>Bindings
Labels: Test-Predator-Wrong-CLs M-60
Owner: lukasza@chromium.org
Status: Assigned (was: Untriaged)

Predator and CL did not provide any possible suspects.
Using Code Search for the file, "DOMTypedArray.cpp" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/1c4d759e44259650dfb2c426a7f997d2d0bc73dc

@lukasza -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by lukasza@chromium.org, Apr 18 2017

Cc: dslomov@chromium.org cbruni@chromium.org
Owner: jochen@chromium.org

jochen@ / cbruni@ / dslomov@ - could you PTAL? (based on git blame around TYPED_ARRAY_NEW macro definition in v8/src/api.cc)

Comment 3 by jochen@chromium.org, Apr 18 2017

Status: WontFix (was: Assigned)

The test case tries to create a canvas with more than 2^31 bytes.

►

Issue 712534 link

Issue metadata

Crash in blink::ReportFatalErrorInMainThread

Issue description

Comment 1 by msrchandra@chromium.org, Apr 18 2017

Comment 1 Deleted

Comment 2 by lukasza@chromium.org, Apr 18 2017

Comment 2 Deleted

Comment 3 by jochen@chromium.org, Apr 18 2017

Comment 3 Deleted

Sign in to add a comment