Stack-overflow in blink::Element::Clone |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5142063243591680 Fuzzer: inferno_layout_test_unmodified Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffcb4870fb8 Crash State: blink::Element::Clone blink::ContainerNode::CloneChildNodesFrom CloneElementWithChildren Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=144946:145047 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5142063243591680 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Feb 26 2018
It seems that the stack overflow is caused by cloning nodes each time a DOMNodeInserted event is fired (and DOMNodeInserted will fire again after cloning), essentially growing the DOM tree to be so large and stack overflow is expected.
,
Mar 8 2018
,
Apr 16 2018
Issue 833232 has been merged into this issue.
,
Apr 20 2018
Issue 834777 has been merged into this issue.
,
Apr 28 2018
,
Sep 26
,
Oct 3
ClusterFuzz testcase 5142063243591680 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.
,
Dec 3
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by brajkumar@chromium.org
, Feb 23 2018Components: Blink>DOM
Labels: M-65 Test-Predator-Wrong CF-NeedsTriage