New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 814693 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Sep 26
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 3
Type: Bug


Show other hotlists

Hotlists containing this issue:
Hotlist-1


Sign in to add a comment

Stack-overflow in blink::Element::Clone

Project Member Reported by ClusterFuzz, Feb 22 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5142063243591680

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffcb4870fb8
Crash State:
  blink::Element::Clone
  blink::ContainerNode::CloneChildNodesFrom
  CloneElementWithChildren
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=144946:145047

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5142063243591680

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Cc: brajkumar@chromium.org
Components: Blink>DOM
Labels: M-65 Test-Predator-Wrong CF-NeedsTriage
Unable to find actual suspect through code search and also observing no CL under regression range, hence adding appropriate label for further triage.

Thanks!

Comment 2 by rakina@chromium.org, Feb 26 2018

Labels: -Pri-1 Pri-3
Status: Available (was: Untriaged)
It seems that the stack overflow is caused by cloning nodes each time a DOMNodeInserted event is fired (and DOMNodeInserted will fire again after cloning), essentially growing the DOM tree to be so large and stack overflow is expected. 
 Issue 833232  has been merged into this issue.
 Issue 834777  has been merged into this issue.
Project Member

Comment 6 by ClusterFuzz, Apr 28 2018

Labels: OS-Mac
Status: WontFix (was: Available)
Project Member

Comment 8 by ClusterFuzz, Oct 3

Labels: Needs-Feedback
ClusterFuzz testcase 5142063243591680 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.
Cc: kkaluri@chromium.org
 Issue 910987  has been merged into this issue.

Sign in to add a comment