CHECK failure: i < size() in Vector.h in AppendFloatsToLastLine |
||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6362170727333888 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: i < size() in Vector.h blink::LayoutBlockFlow::AppendFloatsToLastLine blink::LayoutBlockFlow::LayoutRunsAndFloatsInRange Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=466640:466672 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6362170727333888 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 24 2017
,
May 25 2017
,
May 28 2017
I can't reproduce this on an ASAN linux build.
,
May 28 2017
,
May 30 2017
+layout folks
,
Jun 2 2017
Still can't recreate this. Installed libpci3:i386 built from a clean ToT and still nothing.
,
Jun 3 2017
Could not reproduce on my Linux box. It is my first time, so please correct if I am doing something wrong. This is what I've done: - build chrome with gn args: is_asan = true - run chrome, and open local copy of reproducer testcase. Tom, if you can reproduce this, I'd be happy to help debug.
,
Jun 10 2017
,
Jun 19 2017
No longer reproducible.
,
Jun 19 2017
,
Jun 20 2017
,
Jul 14 2017
ClusterFuzz testcase 4620552244559872 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.
,
Aug 12 2017
,
Aug 12 2017
This is probably reproducible with: `clusterfuzz-1.2.0.pex reproduce 6362170727333888` (https://storage.googleapis.com/clusterfuzz-tools/clusterfuzz-1.2.0.pex) But it's not reproducible for me with local builds using either asan or Release. See issue 727722 for some discussion on dependencies required to make it crash but installing libpci3 as suggested there doesn't allow me to reproduce locally. Assigning to tanin from the clusterfuzz team to investigate dependency requirements further.
,
Aug 16 2017
Somehow this becomes reproducible on my machine. I wonder if you can try again with: `/google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 6362170727333888`
,
Aug 16 2017
I was able to reproduce it with /google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 6362170727333888 Any hints on how to dun this in debugger? It does not crash in my regular build.
,
Aug 17 2017
Use tool with
--enable-debug Build Chrome with full debug symbols by injecting
`sanitizer_keep_symbols = true` and `is_debug = true`
to args.gn. Ready to debug with GDB.
,
Aug 17 2017
Running with --enable-debug printed out a whole lot of text, but I never got the gdb prompt. So I tried running the content_shell, and got this: ./out/clusterfuzz_6362170727333888/content_shell --no-sandbox --renderer-process-limit=1 --renderer-startup-dialog $BLINK_FEATURES $BUGFILE ==86479==Shadow memory range interleaves with an existing memory mapping. ASan cannot proceed correctly. ABORTING. ==86479==ASan shadow was supposed to be located in the [0x1ffff000-0x3fffffff] range. Any ideas on how to fix this?
,
Aug 19 2017
ClusterFuzz testcase 4770349421166592 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 29 2017
,
Aug 29 2017
Issue 759311 has been merged into this issue.
,
Aug 29 2017
Hi Guys, this is still not reproducible with a local build and the fuzzbots still seem to hit it every now and then. Debugging it 'clusterfuzz reproduce 6362170727333888` isn't an option for me as that seems to build the world every time, a 1 to 2 hour wait if you don't have goma. If anyone knows what gn args to use to get a local build recreating this issue please post them here and either atotics or I will take a look! Thanks, Rob
,
Aug 29 2017
Thanks for trying, I haven't been able to reproduce it either but we do keep getting reports. :(
,
Aug 29 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5102081852833792.
,
Oct 1 2017
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 4 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/852b53148e04122ccb0c444dff6e8e0cc3939f26 (Body should use ContextClient instead of ContextLifecycleObserver). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Nov 7 2017
Issue 782275 has been merged into this issue.
,
Nov 7 2017
,
Nov 7 2017
,
Dec 25 2017
ClusterFuzz testcase 5706340273225728 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 5 2018
,
Jan 5 2018
It's back again.
,
Jan 31 2018
|
||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||
Comment 1 by tkent@chromium.org
, May 21 2017