New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 745449 link

Starred by 1 user
Status: WontFix
Owner:
rakina@chromium.org
Closed: Oct 2017
Cc:
mlippautz@chromium.org
mstensho@chromium.org
kochi@chromium.org
kkaluri@chromium.org
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Stack-overflow in blink::Element::cloneNode

Project Member Reported by ClusterFuzz, Jul 18 2017 
Detailed report: https://clusterfuzz.com/testcase?key=4910205661085696

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7fff5ec18f28
Crash State:
  blink::Element::cloneNode
  blink::ContainerNode::CloneChildNodes
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4910205661085696


Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Jul 18 2017

Labels: OS-Mac

Comment 2 by manoranj...@chromium.org, Aug 17 2017

Labels: Pri-2
Stack-overflow, Out of memory and Timeout issues are 'P2'.

Comment 3 by dtapu...@chromium.org, Aug 22 2017

Components: Blink>DOM

Comment 4 by hayato@chromium.org, Aug 23 2017

Owner: kochi@chromium.org
Status: Assigned (was: Untriaged)
kochi@, could you take a look?

Comment 5 by kochi@chromium.org, Aug 28 2017 

Reproduced locally and manually reduced to some extent.

cloneNode() seems to recurse infinitely for relatively shallow tree.
repro2.html
1.3 KB View Download

Comment 6 by kochi@chromium.org, Aug 30 2017

Cc: msrchandra@chromium.org mlippautz@chromium.org kochi@chromium.org
 Issue 760050  has been merged into this issue.

Comment 7 by kochi@chromium.org, Oct 23 2017

Owner: rakina@chromium.org
Rakina, could you take a look at this?

Comment 8 by rakina@chromium.org, Oct 23 2017

Status: WontFix (was: Assigned)
After examining the testcase, it looks like this is not a bug. The testcase is cloning a node (specifically, the root ol node) and appending it to itself, making a chain and doubling the level/depth in every loop.

In my dev machine, the stack overflows when the depth reaches 32k. This is expected and not a bug.

Comment 9 by mmoroz@chromium.org, Oct 23 2017

Status: Assigned (was: WontFix)
Please see my comment on issue 777336

Comment 10 by rakina@chromium.org, Oct 24 2017

Status: Started (was: Assigned)
Will change the recursive code that caused the stack overflow to iterative.

Comment 11 by hayato@chromium.org, Oct 25 2017

Status: WontFix (was: Started)
You don't need to make this iterative.
For deeply nested trees, a stack overflow would happen anywhere in our code base.
Project Member

Comment 12 by ClusterFuzz, Nov 1 2017

Labels: Needs-Feedback
ClusterFuzz testcase 6026723429974016 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

Comment 13 by mstensho@chromium.org, Nov 13 2017

Cc: kkaluri@chromium.org mstensho@chromium.org
 Issue 783907  has been merged into this issue.

Comment 14 by kochi@chromium.org, Nov 13 2017

Labels: ClusterFuzz-Ignore
Adding "ClusterFuzz-Ignore" label as c#12 suggests.

Sign in to add a comment