Crash in cc::ListContainerHelper::Allocate |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5227755907317760 Fuzzer: ifratric-browserfuzzer-v3 Job Type: windows_asan_chrome Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x000000ec Crash State: cc::ListContainerHelper::Allocate cc::RenderPass::CreateAndAppendSharedQuadState cc::RenderSurfaceImpl::AppendQuads Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=464127:464504 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv951y--KqfktsN-Cj-DK3Iyj5Kswh1OIsLiFuDpS69pN0utMCFCvOBmAZ2KVezWth5D8E-ANBexG9mvcrRuntQvpWJHoK9A1XSOgSArHy0wfFemmxmi8SIKdFY9ZoAZJB1aMOsUljsd_PZZVYYSLUPkG5_bTQWMvtBIO--QnWi9bw6s3jyd9c6x3zUSFR-Z8gVNYglIzkp8xrkgTM-hsHUwR7510RrxqIHT4HZ2UgTlrwfDtYN_gvkWRlYjoF6nSvgwzWAh26hMJdnuZC_uBifjEEz25Xzwu2RMyDUfwaWETuNtcVOEQVNPOSCKa_2wlqjtBlAmkC8p-CzV0MCY70SFgiXJyG6r6AnSp43BSkz66paKsRIE?testcase_id=5227755907317760 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 20 2017
The crash still happens after I revert to the commit before my CL. I have tested the current stable version and canary version, it broke between (58.0.3029.81) dbbd95bace5f6a49951a5af485e009da9f20c763 and (60.0.3076.2) 7d214605ac31d0af2a5fa5438079272ffc098b38.
,
Apr 20 2017
I manually bisected and found this CL: https://chromium.googlesource.com/chromium/src/+/1553a14bd799b2dd09bebeeeda934379318eaf7e jaydasika@, can you take a look at this bug?
,
Apr 22 2017
This is another bad floating point case. The crash is because a render surface(created by fixed pos element) is trying to draw into a target that itself is not drawn. Before my CL, we were lucky that the render surface ended up with empty content rect and was getting dropped before it tried to draw into a non-existent target.
The fix pos element's render surface doesn't get skipped but the target it draws into is skipped because of singular transform. This should actually not happen as the transform between a fix pos's transform node and its target's transform node should be atmost translation. But, I have logged it and its not the case for this page :
[ +0.0000 +0.0000 +0.0000 +29.0000
+0.0000 -1.0000 +0.0000 +67108856.0000
+0.0000 +0.0000 +1.0000 +0.0000
+0.0000 +0.0000 +0.0000 +1.0000 ]
,
Apr 24 2017
Issue 714431 has been merged into this issue.
,
Apr 24 2017
,
Apr 29 2017
ClusterFuzz has detected this issue as fixed in range 468145:468195. Detailed report: https://clusterfuzz.com/testcase?key=5227755907317760 Fuzzer: ifratric-browserfuzzer-v3 Job Type: windows_asan_chrome Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x000000ec Crash State: cc::ListContainerHelper::Allocate cc::RenderPass::CreateAndAppendSharedQuadState cc::RenderSurfaceImpl::AppendQuads Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=464127:464504 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=468145:468195 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5227755907317760 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 29 2017
ClusterFuzz testcase 5227755907317760 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mummare...@chromium.org
, Apr 20 2017Labels: M-60 Test-Predator-Wrong
Owner: sunxd@chromium.org
Status: Assigned (was: Untriaged)