Stack-overflow in blink::ClassifyBlock |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5057785707626496 Fuzzer: inferno_twister Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffd07f8a760 Crash State: blink::ClassifyBlock Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=496937:496959 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5057785707626496 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 9 2017
,
Sep 11 2017
,
Sep 12 2017
,
Sep 12 2017
,
Sep 12 2017
,
Sep 18 2017
Could anyone from Blink>CSS team please take a look and update the thread as this is a blocker issue & owner (meade@) is OOO till Oct 3rd-2017. Thanks..!!
,
Sep 21 2017
Unassigning meade@ as they are OOO. The test case is just heaps of unclosed open brackets, causing a stack overflow in this recursive call: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/css/parser/CSSVariableParser.cpp?q=ClassifyBlock&sq=package:chromium&l=41 We could make this non-recursive, but this seems like a weird artificial case that won't appear in real world websites. Removing ReleaseBlock-Beta label.
,
Sep 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/654ffec610219dad73aca9c5fc7c8fd666af7551 commit 654ffec610219dad73aca9c5fc7c8fd666af7551 Author: Darren Shen <shend@chromium.org> Date: Mon Sep 25 10:55:19 2017 Remove recursive calls from ClassifyBlock to prevent stack overflows. This patch changes ClassifyBlock to be iterative rather than recursive so we don't get stack overflows when the nesting level gets too big. To remove the recursion, we handle each token one by one, keeping track of the nesting level in an integer. Bug: 763219 Change-Id: I7567e51bf41a68806686e4e5342ea34984d53b59 Reviewed-on: https://chromium-review.googlesource.com/680197 Reviewed-by: nainar <nainar@chromium.org> Commit-Queue: Darren Shen <shend@chromium.org> Cr-Commit-Position: refs/heads/master@{#504027} [add] https://crrev.com/654ffec610219dad73aca9c5fc7c8fd666af7551/third_party/WebKit/LayoutTests/css-parser/unclosed-open-brackets-crash.html [modify] https://crrev.com/654ffec610219dad73aca9c5fc7c8fd666af7551/third_party/WebKit/Source/core/css/parser/CSSVariableParser.cpp
,
Sep 26 2017
ClusterFuzz has detected this issue as fixed in range 503967:504119. Detailed report: https://clusterfuzz.com/testcase?key=5057785707626496 Fuzzer: inferno_twister Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffdb140f840 Crash State: blink::ClassifyBlock Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=496937:496959 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=503967:504119 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5057785707626496 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 27 2017
ClusterFuzz testcase 5057785707626496 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by msrchandra@chromium.org
, Sep 8 2017Labels: Test-Predator-Wrong M-63
Owner: alancutter@chromium.org
Status: Assigned (was: Untriaged)