New issue
Advanced search Search tips

Issue 847779 link

Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 837914
Owner: ----
Closed: Aug 9
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Mac
Pri: 3
Type: Bug



Sign in to add a comment

CHECK failure: std::numeric_limits<unsigned>::max() - data.length() >= result_length in text.cc

Project Member Reported by ClusterFuzz, May 30 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5398627263184896

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: CHECK failure
Crash Address: 
Crash State:
  std::numeric_limits<unsigned>::max() - data.length() >= result_length in text.cc
  blink::Text::wholeText
  blink::V8Text::wholeTextAttributeGetterCallback
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5398627263184896

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, May 30 2018

Labels: OS-Mac
Project Member

Comment 2 by ClusterFuzz, May 31 2018

Labels: OS-Linux
Cc: pnangunoori@chromium.org
Components: Blink>Layout
Labels: M-67 Test-Predator-Wrong
Owner: cjgrant@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.
Using the code search for the file, “text.cc” assigning to concern owner from GIT blame.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/3c9d2db06dbb2c576e8c13180674e6d84fd29972

@cjgrant -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.
Thank You.

Cc: -pnangunoori@chromium.org
Owner: pnangunoori@chromium.org
This is nothing to do with our changes.  VR's text.cc is an unrelated source file.  You likely want files within third_party/blink/.

third_party/blink/renderer/core/dom/text.cc looks suspicious, but the method that failed the CHECK appears to be auto-generated.  I'm not sure how that all works.

Components: Blink>JavaScript
Labels: CF-NeedsTriage
Owner: ----
Status: Untriaged (was: Assigned)
Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.
Thank You.

Comment 6 by e...@chromium.org, Jun 1 2018

Labels: -Pri-1 Pri-3
Status: Available (was: Untriaged)
Not a security issue and not a regression. Lowering priority.
Project Member

Comment 7 by ClusterFuzz, Jun 4 2018

Labels: OS-Android
Components: -Blink>Layout -Blink>JavaScript Blink>DOM
Had a look at the testcase. It creates a very large string (64k) and then adds 128k text nodes to the DOM. As such, it's not a JS issue, but ultimately boils down to a lack of robust OOM handling in the DOM.

Changing component and leaving as Available.
Labels: -CF-NeedsTriage Stability-Memory
Mergedinto: 837914
Status: Duplicate (was: Available)
I can't see any strong reason to fix this.

Sign in to add a comment