Bug 43041

Summary: cross_fuzz WTF::Vector<...>::reserveCapacity DebugBreak (e59d9e1bc9ba856e181342fbfc4517c9)
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WONTFIX    
Severity: Normal CC: abarth, ap, eric, jay.bhaskar, lcamtuf
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
URL: http://code.google.com/p/chromium/issues/detail?id=50206
Bug Depends on:    
Bug Blocks: 42959    
Attachments:
Description Flags
Details none

Berend-Jan Wever
Reported 2010-07-27 04:31:48 PDT
Created attachment 62680 [details] Details A new fuzzer by lcamtuf described in bug 43040 produced the attached crash. We have no repro for now. Initial analysis of the attached info indicates a request for a large amount of memory leads to OOM and the code triggers a DebugBreak to terminate the renderer. If somebody can confirm this is what happened from the attached data, then this bug can probably be closed as "Won't Fix". Otherwise, we'll have to find a repro or analyze possible code paths to find out what happened.
Attachments
Details (193.47 KB, text/html)
2010-07-27 04:31 PDT, Berend-Jan Wever 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2010-07-27 05:06:18 PDT
I suspect that it's possible with message ports to get a renderer to crash. http://trac.webkit.org/browser/trunk/JavaScriptCore/wtf/Vector.h#L864
Adam Barth
Comment 2 2010-08-07 14:45:33 PDT
OOM => DebugBreak. News at 11.
Note You need to log in before you can comment on or make changes to this bug.