Float-cast-overflow in blink::LocalDOMWindow::scrollTo |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5381356495044608 Fuzzer: inferno_twister_c Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::LocalDOMWindow::scrollTo blink::DOMWindowV8Internal::scrollTo1Method v8::internal::FunctionCallbackArguments::Call Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=552707:552711 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5381356495044608 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 11 2018
to on-duty sheriff for further investigation.
,
Jun 11 2018
Sorry for not triaging further last week, this was on my list for today. I tried to reproduce on a local build (with the gn args from clusterfuzz), but failed.
,
Jun 12 2018
Had a look at the repro testcase. It is passing a very large number to the scrollTo() function. It looks like there is no input validation for very large floating point numbers here. As such, this is not a V8 bug, so setting component and marking available.
,
Jul 18
Issue 860843 has been merged into this issue.
,
Jul 18
,
Jul 21
ClusterFuzz testcase 4861282310946816 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 28
ClusterFuzz testcase 5381356495044608 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Jun 3 2018Labels: Test-Predator-Auto-Components