New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 713216 link

Starred by 1 user

Issue metadata

Status: Verified
Owner: ----
Closed: Jul 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

CHECK failure: count <= MaxElementCountInBackingStore<T>() in PartitionAllocator.h

Project Member Reported by ClusterFuzz, Apr 19 2017

Issue description

Cc: sigbjo...@opera.com
Components: Blink>CSS
Labels: Test-Predator-Wrong M-58
Predator and regression range didn't given any suspects CL.

Comment 2 by shend@chromium.org, Apr 23 2017

Cc: palmer@chromium.org shend@chromium.org
Components: -Blink>CSS Blink>MemoryAllocator>Partition
palmer, this appears to be an issue in PartitionAllocator, can you PTAL?

Comment 3 by tasak@google.com, Apr 25 2017

PartitionAlloc supports <= 2GB memory allocation.
However, the testcase requires more than 2GB memory allocation.

Element::textFromChildren() checks # of child text string but the limit is 4GB...

I'm not sure which is better: to make the limit 2GB or to just mark this issue as WontFix.

Comment 4 by palmer@chromium.org, Apr 26 2017

Components: -Blink>MemoryAllocator>Partition Blink>DOM
Labels: OS-Android OS-Chrome OS-Mac OS-Windows
Status: Available (was: Untriaged)
This is not a bug in PA, which is correctly enforcing its internal sanity constraints (no allocations > 2 GiB). I'd advise changing |Element::textFromChildren| to match.

But then, the test will still fail; it'll just fail in that layer. But there, it can fail gracefully (i.e. in its existing, defined way), rather than CHECKing.

-    if (length > std::numeric_limits<unsigned>::max() - total_length)
+    if (length > std::numeric_limits<int>::max() - total_length)
       return g_empty_string;

Anyone want to land that real quick? :)

Comment 5 by tkent@chromium.org, May 12 2017

Labels: -Pri-1 -M-58 Pri-2
Project Member

Comment 6 by ClusterFuzz, Jul 1 2017

ClusterFuzz has detected this issue as fixed in range 483728:483748.

Detailed report: https://clusterfuzz.com/testcase?key=5920562284331008

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  count <= MaxElementCountInBackingStore<T>() in PartitionAllocator.h
  blink::Element::TextFromChildren
  blink::StyleElement::Process
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=443258:443393
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=483728:483748

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5920562284331008


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Jul 1 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase 5920562284331008 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment