New issue
Advanced search Search tips

Issue 792094 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Dec 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Stack-overflow in blink::TextDumper::HandleNode

Project Member Reported by ClusterFuzz, Dec 5 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6496349947428864

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffd4a45ac20
Crash State:
  blink::TextDumper::HandleNode
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=514498:517698

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6496349947428864

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Cc: kkaluri@chromium.org
Components: Blink
Labels: M-65 Test-Predator-Wrong CF-NeedsTriage
Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.

Thank You...
Components: -Blink Blink>Editing
Labels: -CF-NeedsTriage
Owner: xiaoche...@chromium.org
Status: Assigned (was: Untriaged)
Here is the change log from CF report: https://chromium.googlesource.com/chromium/src/+log/f1d468e87426765c55bc7cd8194799e14267732d..f76165032979d28ccd077d12cae0fd0fbcd30c9e?pretty=fuller&n=10000

xiaochengh@, can you please look into this change (https://chromium.googlesource.com/chromium/src/+/6b7caf9d9a9948625b933566f9479990bb014dc2)?

Thank you!
Components: -Blink>Editing Blink>Infra
Should be Blink>Infra since TextDumper is a testing tool.
Components: Blink>Editing
Wait... TextDumper is also (mis)used in business code.

Adding Blink>Editing back.
Project Member

Comment 5 by bugdroid1@chromium.org, Dec 7 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/582f320ff06701b3b6ede8bc4112ddac5de2d45e

commit 582f320ff06701b3b6ede8bc4112ddac5de2d45e
Author: Xiaocheng Hu <xiaochengh@chromium.org>
Date: Thu Dec 07 18:03:00 2017

Add a recursion depth limit to WebFrameContentDumper's TextDumper

When the DOM tree is very deep, TextDumper may run out of stack space
due to the main recursion in its implementation.

This patch adds a depth limit to the recursion to avoid that.

Bug:  792094 
Change-Id: Ica139bbf73f4129d317b7ed5d1e92c0d13566cf6
Reviewed-on: https://chromium-review.googlesource.com/812118
Reviewed-by: Ian Kilpatrick <ikilpatrick@chromium.org>
Reviewed-by: Emil A Eklund <eae@chromium.org>
Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#522474}
[modify] https://crrev.com/582f320ff06701b3b6ede8bc4112ddac5de2d45e/third_party/WebKit/Source/core/exported/WebFrameContentDumper.cpp

Project Member

Comment 6 by ClusterFuzz, Dec 8 2017

ClusterFuzz has detected this issue as fixed in range 522471:522474.

Detailed report: https://clusterfuzz.com/testcase?key=6496349947428864

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffd4a45ac20
Crash State:
  blink::TextDumper::HandleNode
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=514498:517698
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=522471:522474

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6496349947428864

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Dec 8 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6496349947428864 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment