New issue
Advanced search Search tips

Issue 900493 link

Starred by 1 user
Status: Fixed
Owner:
xidac...@chromium.org
Closed: Oct 31
Cc:
iclell...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Float-cast-overflow in blink::CSSFontVariationSettingsInterpolationType::ApplyStandardPropertyValue

Project Member Reported by ClusterFuzz, Oct 31 
Detailed report: https://clusterfuzz.com/testcase?key=5652715374641152

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::CSSFontVariationSettingsInterpolationType::ApplyStandardPropertyValue
  blink::CSSInterpolationType::Apply
  blink::TransitionInterpolation::Apply
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=551565:563900

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5652715374641152

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Oct 31

Components: Blink>Animation
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Oct 31

Cc: iclell...@chromium.org futhark@chromium.org
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

Disable non-composited animations via feature policy by iclelland@chromium.org - https://chromium.googlesource.com/chromium/src/+/9831ecc703d4316100735d9ed9a86702d3a34652

[Squad] style_ in StyleResolverState is always mutable. by futhark@chromium.org - https://chromium.googlesource.com/chromium/src/+/f1b06666866a207acc3a263a83f787267b56ad05

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

Comment 3 by futhark@chromium.org, Oct 31

Cc: -futhark@chromium.org
My change is just method naming and constness.

Comment 4 by xidac...@chromium.org, Oct 31

Owner: xidac...@chromium.org
Status: Assigned (was: Untriaged)
a static_cast would likely fix this. I will take it.

Comment 5 by xidac...@chromium.org, Oct 31

Labels: Stability-Crash
Project Member

Comment 6 by bugdroid1@chromium.org, Oct 31 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/de932e6ecf32f21a5b4859bd770872cd90576fce

commit de932e6ecf32f21a5b4859bd770872cd90576fce
Author: Xida Chen <xidachen@chromium.org>
Date: Wed Oct 31 16:40:46 2018

[Code health] Do static_cast in ApplyStandardPropertyValue

Currently at ApplyStandardPropertyValue, we give a double to
FontVariationAxis which is supposed to take a float, and this could cause
float-cast-overflow in corner cases.

This CL does static_cast on the double value before given that to the
FontVariationAxis.

Bug:  900493 
Change-Id: Ia4cc4b97bd81296ea1721affead42a2f482b58c0
Reviewed-on: https://chromium-review.googlesource.com/c/1309879
Reviewed-by: Stephen McGruer <smcgruer@chromium.org>
Commit-Queue: Xida Chen <xidachen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#604292}
[modify] https://crrev.com/de932e6ecf32f21a5b4859bd770872cd90576fce/third_party/blink/renderer/core/animation/css_font_variation_settings_interpolation_type.cc

Comment 7 by xidac...@chromium.org, Oct 31

Status: Fixed (was: Assigned)
Project Member

Comment 8 by ClusterFuzz, Nov 7

Labels: Needs-Feedback
ClusterFuzz testcase 5652715374641152 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

Sign in to add a comment