New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 718386 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2017
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Stack-overflow in blink::PrePaintTreeWalk::Walk

Project Member Reported by ClusterFuzz, May 4 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5711311142125568

Fuzzer: attekett_surku_fuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffe37312f40
Crash State:
  blink::PrePaintTreeWalk::Walk
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=468406:468455

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5711311142125568


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by ClusterFuzz, May 4 2017

Labels: OS-Mac
Cc: msrchandra@chromium.org
Labels: M-60 Test-Predator-Wrong
Owner: chrishtr@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL did not provide any possible suspects.
Using Code Search for the file, "PrePaintTreeWalk.cpp" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/ca2623e17b5c45400485a2ceb08545baa9f09c4f

@chrishtr -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 3 by pdr@chromium.org, May 9 2017

Cc: f...@opera.com pdr@chromium.org
 Issue 717624  has been merged into this issue.
Labels: -Pri-1 Pri-2
Project Member

Comment 5 by bugdroid1@chromium.org, May 12 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6c53f5db1411329c6662a40b4973a3af20b80ab5

commit 6c53f5db1411329c6662a40b4973a3af20b80ab5
Author: chrishtr <chrishtr@chromium.org>
Date: Fri May 12 01:11:10 2017

Put PaintInvalidatorContext on the heap, to reduce stack overflows.

BUG= 718386 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2873823002
Cr-Commit-Position: refs/heads/master@{#471160}

[modify] https://crrev.com/6c53f5db1411329c6662a40b4973a3af20b80ab5/third_party/WebKit/Source/core/paint/PaintInvalidator.h
[modify] https://crrev.com/6c53f5db1411329c6662a40b4973a3af20b80ab5/third_party/WebKit/Source/core/paint/PrePaintTreeWalk.cpp

Status: Fixed (was: Assigned)
Project Member

Comment 7 by ClusterFuzz, May 12 2017

ClusterFuzz has detected this issue as fixed in range 471033:471049.

Detailed report: https://clusterfuzz.com/testcase?key=5711311142125568

Fuzzer: attekett_surku_fuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffe37312f40
Crash State:
  blink::PrePaintTreeWalk::Walk
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=468406:468455
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=471033:471049

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5711311142125568


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 8 by pdr@chromium.org, May 15 2017

 Issue 716517  has been merged into this issue.

Sign in to add a comment