CHECK failure: i < size() in Vector.h |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6526316592758784 Fuzzer: ochang_domfuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: i < size() in Vector.h blink::SVGAnimationElement::CurrentValuesForValuesAnimation blink::SVGAnimationElement::UpdateAnimation Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=472654:472667 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6526316592758784 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 30 2017
,
Aug 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c9db58439d9c5218b26640fa65780d6dd505734c commit c9db58439d9c5218b26640fa65780d6dd505734c Author: Fredrik Söderquist <fs@opera.com> Date: Thu Aug 31 17:37:37 2017 Make SMIL interval position calculations more resilient When 'dur' is mutated, all dependent state is not updated at once, but rather lazily. This means that we can get into an inconsistent state where some timing parameters have been applied while some have not, and code that uses - and thus realizes - the state changes will be first to observe them. This can for instance lead to an interval position of NaN being computed, which would wreak havoc when computing values. For the specific case, we'd first get an 'indefinite' simple duration and compute an interval thereafter. When 'dur' is then modified to a finite value the simple duration will not be updated until the next frame is computed (triggered by mutation of 'end'), leaving us with a valid/finite simple duration but an infinite interval. (This then results in arithmetic with Inf, yielding a NaN value for |percent|.) Properly updating all the interval computation state on mutations is a somewhat involved task, so paper over it for now by computing the (last) active duration differently depending on the case we're in. While this change is a bit of a workaround, it should be a perfectly reasonable change on its own. Bug: 760057 Change-Id: I1878f06db500eb1251ef2ca1cd7f10e0c8f86a00 Reviewed-on: https://chromium-review.googlesource.com/645973 Reviewed-by: Stephen Chenney <schenney@chromium.org> Reviewed-by: Philip Rogers <pdr@chromium.org> Commit-Queue: Fredrik Söderquist <fs@opera.com> Cr-Commit-Position: refs/heads/master@{#498911} [add] https://crrev.com/c9db58439d9c5218b26640fa65780d6dd505734c/third_party/WebKit/LayoutTests/svg/animations/simple-duration-mutation-crash-expected.txt [add] https://crrev.com/c9db58439d9c5218b26640fa65780d6dd505734c/third_party/WebKit/LayoutTests/svg/animations/simple-duration-mutation-crash.html [modify] https://crrev.com/c9db58439d9c5218b26640fa65780d6dd505734c/third_party/WebKit/Source/core/svg/animation/SVGSMILElement.cpp
,
Sep 12 2017
ClusterFuzz testcase 6526316592758784 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 12 2017
Doesn't appear to have caught up with the appropriate revision yet ("Last run with revision 496287"), but it's easy to see how the test would end up being flaky (it was timing dependent AFAICR.) Will mark as Fixed.
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by tkent@chromium.org
, Aug 29 2017