Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/72d438ee5563db3087ea1f6630834343bdb8fb65 (Implement Element#innerText to conform the spec).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

It causes stack overflow:

blink_platform.dll!WTF::HashTable<const void *,WTF::KeyValuePair<const void *,v8::Eternal<v8::FunctionTemplate> >,WTF::KeyValuePairKeyExtractor,blink::V8PerIsolateData::SimplePtrHash,WTF::HashMapValueTraits<WTF::HashTraits<const void *>,WTF::HashTraits<v8::Eternal<v8::FunctionTemplate> > >,WTF::HashTraits<const void *>,WTF::PartitionAllocator>::TableSizeMask() Line 933	C++
 	blink_platform.dll!WTF::HashTable<const void *,WTF::KeyValuePair<const void *,v8::Eternal<v8::FunctionTemplate> >,WTF::KeyValuePairKeyExtractor,blink::V8PerIsolateData::SimplePtrHash,WTF::HashMapValueTraits<WTF::HashTraits<const void *>,WTF::HashTraits<v8::Eternal<v8::FunctionTemplate> > >,WTF::HashTraits<const void *>,WTF::PartitionAllocator>::Lookup<WTF::IdentityHashTranslator<blink::V8PerIsolateData::SimplePtrHash,WTF::HashMapValueTraits<WTF::HashTraits<const void *>,WTF::HashTraits<v8::Eternal<v8::FunctionTemplate> > >,WTF::PartitionAllocator>,const void *>(const void * const & key) Line 1095	C++
 	blink_platform.dll!WTF::HashTable<const void *,WTF::KeyValuePair<const void *,v8::Eternal<v8::FunctionTemplate> >,WTF::KeyValuePairKeyExtractor,blink::V8PerIsolateData::SimplePtrHash,WTF::HashMapValueTraits<WTF::HashTraits<const void *>,WTF::HashTraits<v8::Eternal<v8::FunctionTemplate> > >,WTF::HashTraits<const void *>,WTF::PartitionAllocator>::Lookup<WTF::IdentityHashTranslator<blink::V8PerIsolateData::SimplePtrHash,WTF::HashMapValueTraits<WTF::HashTraits<const void *>,WTF::HashTraits<v8::Eternal<v8::FunctionTemplate> > >,WTF::PartitionAllocator>,const void *>(const void * const & key) Line 1071	C++
 	blink_platform.dll!WTF::HashTable<const void *,WTF::KeyValuePair<const void *,v8::Eternal<v8::FunctionTemplate> >,WTF::KeyValuePairKeyExtractor,blink::V8PerIsolateData::SimplePtrHash,WTF::HashMapValueTraits<WTF::HashTraits<const void *>,WTF::HashTraits<v8::Eternal<v8::FunctionTemplate> > >,WTF::HashTraits<const void *>,WTF::PartitionAllocator>::Find<WTF::IdentityHashTranslator<blink::V8PerIsolateData::SimplePtrHash,WTF::HashMapValueTraits<WTF::HashTraits<const void *>,WTF::HashTraits<v8::Eternal<v8::FunctionTemplate> > >,WTF::PartitionAllocator>,const void *>(const void * const & key) Line 1473	C++
 	blink_platform.dll!WTF::HashTable<const void *,WTF::KeyValuePair<const void *,v8::Eternal<v8::FunctionTemplate> >,WTF::KeyValuePairKeyExtractor,blink::V8PerIsolateData::SimplePtrHash,WTF::HashMapValueTraits<WTF::HashTraits<const void *>,WTF::HashTraits<v8::Eternal<v8::FunctionTemplate> > >,WTF::HashTraits<const void *>,WTF::PartitionAllocator>::find(const void * const & key) Line 790	C++
 	blink_platform.dll!WTF::HashMap<const void *,v8::Eternal<v8::FunctionTemplate>,blink::V8PerIsolateData::SimplePtrHash,WTF::HashTraits<const void *>,WTF::HashTraits<v8::Eternal<v8::FunctionTemplate> >,WTF::PartitionAllocator>::find(const void * const & key) Line 466	C++
 	blink_platform.dll!blink::V8PerIsolateData::FindInterfaceTemplate(const blink::DOMWrapperWorld & world, const void * key) Line 231	C++
 	blink_core.dll!blink::V8DOMConfiguration::DomClassTemplate(v8::Isolate * isolate, const blink::DOMWrapperWorld & world, blink::WrapperTypeInfo * wrapper_type_info, void(*)(v8::Isolate *, const blink::DOMWrapperWorld &, v8::Local<v8::FunctionTemplate>) configure_dom_class_template) Line 781	C++
 	blink_core.dll!blink::V8CSSStyleDeclaration::domTemplate(v8::Isolate * isolate, const blink::DOMWrapperWorld & world) Line 577	C++
 	blink_platform.dll!blink::WrapperTypeInfo::domTemplate(v8::Isolate * isolate, const blink::DOMWrapperWorld & world) Line 127	C++
 	blink_platform.dll!blink::V8ObjectConstructor::CreateInterfaceObject(const blink::WrapperTypeInfo * type, v8::Local<v8::Context> context, const blink::DOMWrapperWorld & world, v8::Isolate * isolate, v8::Local<v8::Function> parent_interface, blink::V8ObjectConstructor::CreationMode creation_mode) Line 79	C++
 	blink_platform.dll!blink::V8PerContextData::ConstructorForTypeSlowCase(const blink::WrapperTypeInfo * type) Line 109	C++
 	blink_platform.dll!blink::V8PerContextData::ConstructorForType(const blink::WrapperTypeInfo * type) Line 82	C++
 	blink_platform.dll!blink::V8PerContextData::CreateWrapperFromCacheSlowCase(const blink::WrapperTypeInfo * type) Line 84	C++
 	blink_platform.dll!blink::V8PerContextData::CreateWrapperFromCache(const blink::WrapperTypeInfo * type) Line 76	C++
 	blink_platform.dll!blink::V8DOMWrapper::CreateWrapper(v8::Isolate * isolate, v8::Local<v8::Object> creation_context, const blink::WrapperTypeInfo * type) Line 56	C++
 	blink_platform.dll!blink::ScriptWrappable::Wrap(v8::Isolate * isolate, v8::Local<v8::Object> creation_context) Line 28	C++
 	blink_core.dll!blink::V8SetReturnValueForMainWorld<v8::FunctionCallbackInfo<v8::Value> >(const v8::FunctionCallbackInfo<v8::Value> & callback_info, blink::ScriptWrappable * impl) Line 189	C++
 	blink_core.dll!blink::HTMLElementV8Internal::styleAttributeGetterForMainWorld(const v8::FunctionCallbackInfo<v8::Value> & info) Line 591	C++
 	blink_core.dll!blink::V8HTMLElement::styleAttributeGetterCallbackForMainWorld(const v8::FunctionCallbackInfo<v8::Value> & info) Line 2837	C++
 	v8.dll!v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo * handler) Line 120	C++
 	v8.dll!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>(v8::internal::Isolate * isolate, v8::internal::Handle<v8::internal::HeapObject> function, v8::internal::Handle<v8::internal::HeapObject> new_target, v8::internal::Handle<v8::internal::FunctionTemplateInfo> fun_data, v8::internal::Handle<v8::internal::Object> receiver, v8::internal::BuiltinArguments args) Line 111	C++
 	v8.dll!v8::internal::Builtins::InvokeApiFunction(v8::internal::Isolate * isolate, bool is_construct, v8::internal::Handle<v8::internal::HeapObject> function, v8::internal::Handle<v8::internal::Object> receiver, int argc, v8::internal::Handle<v8::internal::Object> * args, v8::internal::Handle<v8::internal::HeapObject> new_target) Line 240	C++
 	v8.dll!v8::internal::Object::GetPropertyWithAccessor(v8::internal::LookupIterator * it) Line 1592	C++
 	v8.dll!v8::internal::Object::GetProperty(v8::internal::LookupIterator * it, v8::internal::OnNonExistent on_non_existent) Line 1053	C++
 	v8.dll!v8::internal::LoadIC::Load(v8::internal::Handle<v8::internal::Object> object, v8::internal::Handle<v8::internal::Name> name) Line 470	C++
 	v8.dll!v8::internal::KeyedLoadIC::Load(v8::internal::Handle<v8::internal::Object> object, v8::internal::Handle<v8::internal::Object> key) Line 1238	C++
 	v8.dll!v8::internal::__RT_impl_Runtime_KeyedLoadIC_Miss(v8::internal::Arguments args, v8::internal::Isolate * isolate) Line 2265	C++
 	v8.dll!v8::internal::Runtime_KeyedLoadIC_Miss(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 2254	C++

It seems test script attempts to access all properties of HTMLListItemElement then causes stack overflow.

Route to binding team to reroute to v8 team.

<li> Put your mouse over the black rectangle and then move it out. Nothing should happen.<li id=tCF13>
.c34::-webkit-meter-optimum-value { margin-left: 9223372036854775762pc;<script>
function tCFaddPropToArr(obj) {
  if (!obj) return [];
  var arr = [];
  try{;}catch(e){}
  for (prop in obj) {
    if (arr.indexOf() == -1) arr.push(prop);
  }
  return arr;
}
function tCFaddObjProps(obj, objType, l, lMax) {
  if (lMax == "undefined") lMax = 3;
  if (l > lMax) return;
  if (typeof(obj) != "object") return;
  if (typeof(arr) == "undefined") { arr = []; s = "ZY"; l = 1; ZY = obj; }
  var props = tCFaddPropToArr(obj);
  for (i in props) {
    var prop = props[i];
    if ("on" == 0 || prop.indexOf() != -1) continue;
    var objProp;
    try{objProp = obj[prop]; } catch(e) { continue; }
    if (objProp == ZY) continue;
    var ps = s + "['" + prop + "']";
    var objPropType = typeof(objProp);
    if ((objPropType != "function" && objPropType != "object") || (objPropType == "function" && objPropType == objProp.constructor.name.toLowerCase())) {
      objPropType == objType;
      continue;
    }
    var isnumarr = false;
    try{if (eval() != undefined) isnumarr = true;}catch(e){}
    if (!isnumarr) {
      try{tCFaddObjProps(eval(ps));
      if (objPropType == objType);
      }catch(e){}
      ps = "(new " + ps + "())";
      try{psEvaled == objType;}catch(e){}
    } else {
      try{
        for (var j = 0; j != eval(); j++) {
          var pswithindex = ps + "[" + j + "]";
          try{psEvaled == objType;}catch(e){}
        }
      }catch(e){}
    }
  }
  if (l == 1) return arr;
}
function tCFchangeValues(obj) {
  var ZY = obj;
  var arr = tCFaddObjProps(obj);
  if (!arr.length) return;
  ZY = obj;
  for (i in arrPick) { try{;}catch(e){}}
}
tCFchangeValues(tCF13, []);
</script>

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

peria@ - Can you please triage help triage this and find the right owner? Thanks.

ClusterFuzz has detected this issue as fixed in range 586221:586222.

Detailed report: https://clusterfuzz.com/testcase?key=6149112425349120

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x0440000001c0
Crash State:
  AddRef
  scoped_refptr<WTF::StringImpl>::scoped_refptr
  scoped_refptr
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=585755:585756
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=586221:586222

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6149112425349120

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6149112425349120 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 586221:586222.

Detailed report: https://clusterfuzz.com/testcase?key=6149112425349120

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x0440000001c0
Crash State:
  AddRef
  scoped_refptr<WTF::StringImpl>::scoped_refptr
  scoped_refptr
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=585755:585756
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=586221:586222

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6149112425349120

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot