New issue
Advanced search Search tips

Issue 861592 link

Starred by 3 users
Status: Assigned
Owner:
fmalita@chromium.org
Cc:
kkaluri@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: count <= MaxElementCountInBackingStore<T>() in partition_allocator.h

Project Member Reported by ClusterFuzz, Jul 8 
Detailed report: https://clusterfuzz.com/testcase?key=6371656742993920

Fuzzer: inferno_twister
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: CHECK failure
Crash Address: 
Crash State:
  count <= MaxElementCountInBackingStore<T>() in partition_allocator.h
  blink::FontFace::InitCSSFontFace
  blink::FontFace::Create
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=570383:570387

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6371656742993920

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by kkaluri@chromium.org, Jul 9

Cc: kkaluri@chromium.org
Components: Blink>Network
Labels: M-69 Test-Predator-Wrong CF-NeedsTriage
Unable to find actual suspect through code search and also observing no CL's under regression range, hence adding appropriate label and requesting someone from dev team to look in to this issue.

Thanks!

Comment 2 by yhirano@chromium.org, Jul 13

Components: -Blink>Network Blink>Loader
Project Member

Comment 3 by ClusterFuzz, Jul 27

Labels: OS-Linux

Comment 4 by ksakamoto@chromium.org, Jul 30

Owner: fmalita@chromium.org
Status: Assigned (was: Untriaged)
The minimized testcase is exactly the same as  bug 474899 :

<script>
var face3 = new FontFace('FontFromEmptyArrayBuffer', new ArrayBuffer(4294967295));
</script>

CHECK failure is inside the SharedBuffer constructor, so http://crrev.com/c/1113661 may be related.

fmalita@, would you take a look?

Comment 5 by manoranj...@chromium.org, Oct 26

Labels: -M-69 -CF-NeedsTriage M-71 M-70
Gentle Ping!

Sign in to add a comment