New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 718307 link

Starred by 1 user
Status: WontFix
Owner:
dcheng@chromium.org
Closed: Jun 2017
Cc:
wangxianzhu@chromium.org
kojii@chromium.org
dominicc@chromium.org
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug

Blocked on:
issue 721175


Sign in to add a comment

Stack-overflow in blink::LayoutTableRow::UpdateLayout

Project Member Reported by ClusterFuzz, May 4 2017 
Detailed report: https://clusterfuzz.com/testcase?key=4598353320214528

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0xff039e40
Crash State:
  blink::LayoutTableRow::UpdateLayout
  blink::LayoutTableSection::UpdateLayout
  blink::LayoutTable::LayoutSection
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=338684:338816

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4598353320214528


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, May 4 2017

Cc: msrchandra@chromium.org wangxianzhu@chromium.org
Labels: M-60 Test-Predator-Wrong
Owner: dcheng@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL did not provide any possible suspects.
Using Code Search for the file, "LayoutTableRow.cpp" assigning to the related owner who might have worked on similar issues.

@dcheng -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by dcheng@chromium.org, May 4 2017

Cc: kojii@chromium.org dominicc@chromium.org
Components: Blink>Layout
I'm not sure there's really anything we can do here, it looks like we just have a really deep layout tree. Does anyone know how other browsers handle this?

Comment 3 by wangxianzhu@chromium.org, May 4 2017 

For the attached test case, on my Linux machine, Chrome crashes after adding 11000 dom nodes in a "unary tree".

FireFox doesn't crash, but it seems to limit the depth of render tree to about 200. It seems to not limit the depth of the DOM tree.

A related bug is Bug 578352 which is about recursive frames. Firefox seems to limit depth of recursive frames to about 10.

Many similar bugs are marked WontFix (https://bugs.chromium.org/p/chromium/issues/list?can=2&q=status%3AWontFix+stack+overflow&colspec=ID+Pri+M+Stars+ReleaseBlock+Component+Status+Owner+Summary+OS+Modified&x=m&y=releaseblock&cells=ids).
stackoverflow.html
484 bytes View Download

Comment 4 by dcheng@chromium.org, May 16 2017

Blockedon: 721175
I've filed 721175 to limit the max depth of the layout tree. In the mean time, there's not much to do about this.

Comment 5 by e...@chromium.org, Jun 19 2017

Status: WontFix (was: Assigned)
Project Member

Comment 6 by ClusterFuzz, Jul 14 2017

Labels: Needs-Feedback
ClusterFuzz testcase 4598353320214528 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

Sign in to add a comment