New issue
Advanced search Search tips

Issue 875644 link

Starred by 1 user
Status: Assigned
Owner:
ice...@yandex-team.ru
Cc:
xiaoche...@chromium.org
kojii@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Stack-overflow in blink::LayoutInline::CulledInlineFirstLineBox

Project Member Reported by ClusterFuzz, Aug 19 
Detailed report: https://clusterfuzz.com/testcase?key=4931787042848768

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7fffe903dbe0
Crash State:
  blink::LayoutInline::CulledInlineFirstLineBox
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=460719:460720

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4931787042848768

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Aug 19

Components: Blink>Layout
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Aug 19

Labels: Test-Predator-Auto-Owner
Owner: ice...@yandex-team.ru
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/5e8d28b598fa533bd3c0503e59e037d63913fbde (Reland: Avoid calling strlen() where possible in base/trace_config).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by ice...@yandex-team.ru, Aug 20 

From the first glance I suppose that my commit is unrelated.
It was around base/trace_event/ and unlikely could affect the layout process in Blink.
Looks like there is an infinite recursion inside blink::LayoutInline::CulledInlineFirstLineBox() function that leads to the stack overflow.
But I can try to reproduce this according to the ClusterFuzz docs.

Comment 4 by ice...@yandex-team.ru, Aug 23

Cc: xiaoche...@chromium.org
Labels: Test-Predator-Wrong-CLs
I tried to reproduce the crash due to stack overflow and succeeded.
But when I reverted my commit [1] I still had the crash for the ClusterFuzz test case.

AddressSanitizer:DEADLYSIGNAL
=================================================================
==966293==ERROR: AddressSanitizer: stack-overflow on address 0x7fffff7fef80 (pc 0x555584f31492 bp 0x7fffff7ff5f0 sp 0x7fffff7fef80 T0)
SCARINESS: 10 (stack-overflow)

I think that the problem is in another place.
xiaochengh@ could you give me advise what to do next with the bug, please?

[1] - https://chromium.googlesource.com/chromium/src/+/5e8d28b598fa533bd3c0503e59e037d63913fbde
Project Member

Comment 5 by ClusterFuzz, Aug 25

Labels: OS-Mac

Comment 6 by e...@chromium.org, Oct 4

Cc: kojii@chromium.org
Labels: -Pri-1 Pri-2

Sign in to add a comment