Bug 43041

Summary: cross_fuzz WTF::Vector<...>::reserveCapacity DebugBreak (e59d9e1bc9ba856e181342fbfc4517c9)
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WONTFIX    
Severity: Normal CC: abarth, ap, eric, jay.bhaskar, lcamtuf
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
URL: http://code.google.com/p/chromium/issues/detail?id=50206
Bug Depends on:    
Bug Blocks: 42959    
Attachments:
Description Flags
Details none

Description Berend-Jan Wever 2010-07-27 04:31:48 PDT 
Created attachment 62680 [details]
Details

A new fuzzer by lcamtuf described in bug 43040 produced the attached crash. We have no repro for now. Initial analysis of the attached info indicates a request for a large amount of memory leads to OOM and the code triggers a DebugBreak to terminate the renderer. If somebody can confirm this is what happened from the attached data, then this bug can probably be closed as "Won't Fix".

Otherwise, we'll have to find a repro or analyze possible code paths to find out what happened.
Comment 1 Eric Seidel (no email) 2010-07-27 05:06:18 PDT 
I suspect that it's possible with message ports to get a renderer to crash.
http://trac.webkit.org/browser/trunk/JavaScriptCore/wtf/Vector.h#L864
Comment 2 Adam Barth 2010-08-07 14:45:33 PDT 
OOM => DebugBreak.  News at 11.