43041 – cross_fuzz WTF::Vector<...>::reserveCapacity DebugBreak (e59d9e1bc9ba856e181342fbfc4517c9)

Bug 43041 - cross_fuzz WTF::Vector<...>::reserveCapacity DebugBreak (e59d9e1bc9ba856e181342fbfc4517c9)

Summary: cross_fuzz WTF::Vector<...>::reserveCapacity DebugBreak (e59d9e1bc9ba856e1813...

Status:	RESOLVED WONTFIX

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC Windows Vista

Importance:	P1 Normal
Assignee:	Nobody

URL:	http://code.google.com/p/chromium/iss...
Keywords:

Depends on:
Blocks:	42959
	Show dependency tree / graph

Reported:	2010-07-27 04:31 PDT by Berend-Jan Wever
Modified:	2014-03-02 04:17 PST (History)
CC List:	5 users (show)

See Also:

Attachments
Details (193.47 KB, text/html) 2010-07-27 04:31 PDT, Berend-Jan Wever	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Berend-Jan Wever 2010-07-27 04:31:48 PDT

Created attachment 62680 [details]
Details

A new fuzzer by lcamtuf described in bug 43040 produced the attached crash. We have no repro for now. Initial analysis of the attached info indicates a request for a large amount of memory leads to OOM and the code triggers a DebugBreak to terminate the renderer. If somebody can confirm this is what happened from the attached data, then this bug can probably be closed as "Won't Fix".

Otherwise, we'll have to find a repro or analyze possible code paths to find out what happened.

Comment 1 Eric Seidel (no email) 2010-07-27 05:06:18 PDT

I suspect that it's possible with message ports to get a renderer to crash.
http://trac.webkit.org/browser/trunk/JavaScriptCore/wtf/Vector.h#L864

Comment 2 Adam Barth 2010-08-07 14:45:33 PDT

OOM => DebugBreak.  News at 11.