Stack-overflow in std::__1::unique_ptr<blink::FragmentData, std::__1::default_delete<blink::Fragme |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4824663142957056 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffefca1eff8 Crash State: std::__1::unique_ptr<blink::FragmentData, std::__1::default_delete<blink::Fragme Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=560084:560088 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4824663142957056 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 16
This is another instance of an issue we have with fragment lists getting corrupted. I own the others and really need to look at this.
,
Aug 16
I uploaded a CL for this a while back: https://chromium-review.googlesource.com/c/chromium/src/+/1106378 - feel free to review that (I probably need to rebase it though - will do that as soon as I get a chance.)
,
Aug 16
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5375d2d54ec3ec139fb55f92427f4402ef5bafd3 commit 5375d2d54ec3ec139fb55f92427f4402ef5bafd3 Author: Fredrik Söderquist <fs@opera.com> Date: Thu Aug 16 15:20:57 2018 Avoid recursing in the FragmentData destructor Too deep recursions can cause stack overflows. Bug: 874759 Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel Change-Id: Ie532e28bceee4e7f1c3ab501b80c0e2f14be083a Reviewed-on: https://chromium-review.googlesource.com/1106378 Reviewed-by: Stephen Chenney <schenney@chromium.org> Commit-Queue: Fredrik Söderquist <fs@opera.com> Cr-Commit-Position: refs/heads/master@{#583657} [modify] https://crrev.com/5375d2d54ec3ec139fb55f92427f4402ef5bafd3/third_party/blink/renderer/core/paint/fragment_data.cc [modify] https://crrev.com/5375d2d54ec3ec139fb55f92427f4402ef5bafd3/third_party/blink/renderer/core/paint/fragment_data.h
,
Aug 17
ClusterFuzz has detected this issue as fixed in range 583654:583657. Detailed report: https://clusterfuzz.com/testcase?key=4824663142957056 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffefca1eff8 Crash State: std::__1::unique_ptr<blink::FragmentData, std::__1::default_delete<blink::Fragme Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=560084:560088 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=583654:583657 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4824663142957056 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 17
ClusterFuzz testcase 4824663142957056 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by ClusterFuzz
, Aug 16Labels: Test-Predator-Auto-Components