CHECK failure: std::numeric_limits<unsigned>::max() - data.length() >= result_length in text.cc |
|||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5398627263184896 Fuzzer: inferno_layout_test_unmodified Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: std::numeric_limits<unsigned>::max() - data.length() >= result_length in text.cc blink::Text::wholeText blink::V8Text::wholeTextAttributeGetterCallback Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5398627263184896 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
May 31 2018
,
May 31 2018
Predator and CL could not provide any possible suspects. Using the code search for the file, “text.cc” assigning to concern owner from GIT blame. Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/3c9d2db06dbb2c576e8c13180674e6d84fd29972 @cjgrant -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes. Thank You.
,
May 31 2018
This is nothing to do with our changes. VR's text.cc is an unrelated source file. You likely want files within third_party/blink/. third_party/blink/renderer/core/dom/text.cc looks suspicious, but the method that failed the CHECK appears to be auto-generated. I'm not sure how that all works.
,
Jun 1 2018
Unable to provide possible suspect using Predator, CL and Code Search. Could someone please look into the issue. Thank You.
,
Jun 1 2018
Not a security issue and not a regression. Lowering priority.
,
Jun 4 2018
,
Aug 9
Had a look at the testcase. It creates a very large string (64k) and then adds 128k text nodes to the DOM. As such, it's not a JS issue, but ultimately boils down to a lack of robust OOM handling in the DOM. Changing component and leaving as Available.
,
Aug 9
,
Aug 9
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ClusterFuzz
, May 30 2018