New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 814841 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Apr 2018
Cc:
brajkumar@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 3
Type: Bug



Sign in to add a comment

Stack-overflow in blink::ContainerNode::CloneChildNodesFrom

Project Member Reported by ClusterFuzz, Feb 22 2018 
Detailed report: https://clusterfuzz.com/testcase?key=4825089825308672

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Stack-overflow
Crash Address: 0x7fff5a2a7f40
Crash State:
  blink::ContainerNode::CloneChildNodesFrom
  blink::Element::Clone
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=490925:490938

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4825089825308672

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Feb 22 2018

Components: Blink>DOM
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Feb 22 2018

Labels: Test-Predator-Auto-Owner
Owner: tzik@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/9e85ee1cea952f860819b785da9b6fbd565e8dd8 (Convert WTF::Function to a value-semantics object).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by tzik@chromium.org, Feb 23 2018

Labels: Test-Predator-Wrong-CLs
Owner: ----
Status: Untriaged (was: Assigned)

Comment 4 by rakina@chromium.org, Feb 26 2018

Labels: -Pri-1 Pri-3
Status: Available (was: Untriaged)
It seems that the stack overflow is caused by cloning nodes each time a DOMNodeRemoved event is fired, which will fire the DOMNodeLoaded event. The DOMNodeLoaded event listeners removed some nodes, which makes the DOMNodeRemoved event fired again,  essentially growing the DOM tree to be so large and stack overflow is expected. I'm not 100% sure though

Comment 5 by brajkumar@chromium.org, Feb 26 2018

Cc: brajkumar@chromium.org
 Issue 815403  has been merged into this issue.
Project Member

Comment 6 by ClusterFuzz, Mar 6 2018

Labels: OS-Linux
Project Member

Comment 7 by ClusterFuzz, Apr 1 2018

Status: WontFix (was: Available)
ClusterFuzz testcase 4825089825308672 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 8 by ClusterFuzz, Apr 8 2018

Labels: Needs-Feedback
ClusterFuzz testcase 4796822498050048 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

Sign in to add a comment