Issue metadata
Sign in to add a comment
|
Crash in blink::Node::textContent |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5645522494029824 Fuzzer: inferno_twister Job Type: windows_asan_chrome Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x00000000 Crash State: blink::Node::textContent blink::Element::innerText blink::Element::outerText Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=443510:443512 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv959mOSV7H91GSCkMNTysuuzBzxvJxJHfqJeVKa_ythJKHtO5_86pPcZTKbx09nfEM2d2LgpBRcBIxMBoc2t397sCNx0APUVkFttPBbQsjHtxJ8DQXElZZIqkAOrT-tr3kcPoyWlTxQwJoj4RWSey2fxJqypQesqUarjbQxhveiYjQBzRk4JRpXg2dejiR64TXZp8l7kkHGqCK7DAPUr6TmhphKn2DV0gqVaOhXHtHRa1YogBuaR4iTnN7OCKaS8LeMizK_OLREU4jpkwM4G8itB3bWrHPHoeqLmw_1yld6_S_9Cg8Fg9LWVv-1bnKKaFpvPhTtMYFFKSU23xxfH7HookPouQMOoV-oOPauLF9oHVm0I9v5IHVASepj_54v-ihQ7q-cwCLSZQi8hnUPudRsqPpAgXQ?testcase_id=5645522494029824 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 24 2017
Test dynamically modifies a style element. There are only two changes in the regression range and r443512 changes ComputedStyle. https://codereview.chromium.org/2630683002
,
Apr 26 2017
On Linux the test case gives the following crash: [1:1:0426/100610.047600:FATAL:PartitionAllocator.h(37)] Check failed: count <= MaxElementCountInBackingStore<T>() (2415919104 vs. 2147479551) #0 0x7f088a3a8d37 base::debug::StackTrace::StackTrace() #1 0x7f088a3c617d logging::LogMessage::~LogMessage() #2 0x7f087ee520ec WTF::PartitionAllocator::QuantizedSize<>() #3 0x7f087ee51fe1 WTF::Vector<>::ReserveCapacity() #4 0x7f087ee5f59b WTF::Vector<>::ExpandCapacity() #5 0x7f087ee5eb2f WTF::Vector<>::Append<>() #6 0x7f087ee5e829 WTF::StringBuilder::Append() #7 0x7f0884233abb blink::Node::textContent() #8 0x7f08842073a6 blink::Element::innerText() #9 0x7f08842073cd blink::Element::outerText() #10 0x7f08849db6e8 blink::V8HTMLElement::outerTextAttributeGetterCallback() #11 0x7f08850f4c4a v8::internal::FunctionCallbackArguments::Call() #12 0x7f088519aaa8 v8::internal::(anonymous namespace)::HandleApiCallHelper<>() #13 0x7f088519a313 v8::internal::Builtins::InvokeApiFunction() #14 0x7f088558fc22 v8::internal::Object::GetPropertyWithAccessor() #15 0x7f088558f470 v8::internal::Object::GetProperty() #16 0x7f088551413b v8::internal::LoadIC::Load() #17 0x7f0885517c40 v8::internal::KeyedLoadIC::Load() #18 0x7f088551ce86 v8::internal::Runtime_KeyedLoadIC_Miss() #19 0x0b558b7846fd <unknown>
,
Apr 26 2017
,
Apr 26 2017
,
May 5 2017
,
May 15 2017
The regression range appears to be incorrect, I can repro the crash before the range. Rerunning clusterfuzz bisect.
,
May 16 2017
According to the clusterfuzz log the new regression range is https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=439362:439368. I highly suspect the V8 roll. Will manually confirm bisect later.
,
May 19 2017
One line in the test case is: var tCFexcludes = ['innerHTML','outerHTML','innerText']; The stack trace shows that we're crashing on accessing outerText. This leads me to believe this is a basic script invoked OOM that we wouldn't normally worry about. +inferno: Is it possible to modify this fuzzer generator and add outerText to the exclusion list? |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mummare...@chromium.org
, Apr 20 2017Components: Blink>Layout
Labels: M-60 Test-Predator-Wrong