New issue
Advanced search Search tips

Issue 837914 link

Starred by 4 users
Status: WontFix
Owner: ----
Closed: May 2018
Cc:
gyuyo...@igalia.com
pnangunoori@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: std::numeric_limits<unsigned>::max() - data.length() >= result_length in text.cc

Project Member Reported by ClusterFuzz, Apr 28 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5894015254528000

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: CHECK failure
Crash Address: 
Crash State:
  std::numeric_limits<unsigned>::max() - data.length() >= result_length in text.cc
  blink::Text::wholeText
  blink::V8Text::wholeTextAttributeGetterCallback
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=476918:476985

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5894015254528000

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Apr 28 2018

Labels: OS-Windows OS-Linux

Comment 2 by pnangunoori@chromium.org, May 3 2018

Cc: pnangunoori@chromium.org
Components: Blink>JavaScript
Labels: M-67 Test-Predator-Wrong

Comment 3 by clemensh@chromium.org, May 7 2018

Components: -Blink>JavaScript Blink>DOM
This is a DOM issue: The Text::wholeText method tries to generate a string larger than 4GB, which hits a DCHECK.

Excerpt from the reproducer ("str" will have length 2^16, and is added 2^16+1 times):

var str="z";
for (var i = 0; i < 16; i++) {
    str += str;
}
for (var i = 0; i < 1+(1<<16); i++){
    var txt = document.createTextNode(str);
    styleElement.appendChild(txt);
}

Comment 4 by fergal@chromium.org, May 8 2018

Status: WontFix (was: Untriaged)
This actually hits a CHECK_GE, not a DCHECK, so chrome will exit even in production version. So there is no risk of overflow etc. Marking this as won't fix since we don't want to spend effort on making this work for blocks of text > 4GB.
Project Member

Comment 5 by ClusterFuzz, May 9 2018

Labels: OS-Android
Project Member

Comment 6 by ClusterFuzz, May 15 2018

Labels: Needs-Feedback
ClusterFuzz testcase 5894015254528000 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

Comment 7 by brajkumar@chromium.org, May 23 2018 

 Issue 845740  has been merged into this issue.

Comment 8 by brajkumar@chromium.org, May 24 2018 

 Issue 846011  has been merged into this issue.

Comment 9 by brajkumar@chromium.org, May 28 2018 

 Issue 847000  has been merged into this issue.

Comment 10 by hayato@chromium.org, Aug 9 

 Issue 847779  has been merged into this issue.

Comment 11 by hayato@chromium.org, Aug 9

Cc: gyuyo...@igalia.com
 Issue 872730  has been merged into this issue.

Comment 12 by hayato@chromium.org, Aug 13 

 Issue 873451  has been merged into this issue.
Project Member

Comment 13 by ClusterFuzz, Aug 13

Components: Blink>JavaScript
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Sign in to add a comment