Predator and regression range didn't given any suspects CL.

palmer, this appears to be an issue in PartitionAllocator, can you PTAL?

PartitionAlloc supports <= 2GB memory allocation.
However, the testcase requires more than 2GB memory allocation.

Element::textFromChildren() checks # of child text string but the limit is 4GB...

I'm not sure which is better: to make the limit 2GB or to just mark this issue as WontFix.

This is not a bug in PA, which is correctly enforcing its internal sanity constraints (no allocations > 2 GiB). I'd advise changing |Element::textFromChildren| to match.

But then, the test will still fail; it'll just fail in that layer. But there, it can fail gracefully (i.e. in its existing, defined way), rather than CHECKing.

-    if (length > std::numeric_limits<unsigned>::max() - total_length)
+    if (length > std::numeric_limits<int>::max() - total_length)
       return g_empty_string;

Anyone want to land that real quick? :)

ClusterFuzz has detected this issue as fixed in range 483728:483748.

Detailed report: https://clusterfuzz.com/testcase?key=5920562284331008

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  count <= MaxElementCountInBackingStore<T>() in PartitionAllocator.h
  blink::Element::TextFromChildren
  blink::StyleElement::Process
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=443258:443393
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=483728:483748

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5920562284331008


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5920562284331008 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.