Float-cast-overflow in blink::LayoutFrameSet::UpdateLayout |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5570464827834368 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::LayoutFrameSet::UpdateLayout blink::LayoutFrameSet::PositionFrames blink::LayoutFrameSet::UpdateLayout Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=551565:563900 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5570464827834368 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 29 2018
Predator has provided 11 possible suspect CL's using file name "layout_frame_set.cc" : suspecting following CL https://chromium.googlesource.com/chromium/src/+/fa5f9c02ecd9b08736acdd5c724503174c2e6a88 yosin@ Could you please look into this issue.
,
Jul 9
Route to layout-dev@ and lower to Pri-3 since it is caused by unusual HTML.
/* newvar{htmlvar00048:HTMLFrameSetElement} */ var htmlvar00048 = document.createElement("frameset"); //HTMLFrameSetElement
htmlvar00048.cols = "2147483648";
It seems this is caused by specifying huge number of columns 2147483648 to
<frameset>.
,
Jul 18
,
Jul 25
ClusterFuzz testcase 5570464827834368 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Jun 29 2018Labels: Test-Predator-Auto-Components