Bug 43041 - cross_fuzz WTF::Vector<...>::reserveCapacity DebugBreak (e59d9e1bc9ba856e181342fbfc4517c9)
Summary: cross_fuzz WTF::Vector<...>::reserveCapacity DebugBreak (e59d9e1bc9ba856e1813...
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL: http://code.google.com/p/chromium/iss...
Depends on:
Blocks: 42959
  Show dependency treegraph
Reported: 2010-07-27 04:31 PDT by Berend-Jan Wever
Modified: 2014-03-02 04:17 PST (History)
5 users (show)

See Also:

Details (193.47 KB, text/html)
2010-07-27 04:31 PDT, Berend-Jan Wever
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2010-07-27 04:31:48 PDT
Created attachment 62680 [details]

A new fuzzer by lcamtuf described in bug 43040 produced the attached crash. We have no repro for now. Initial analysis of the attached info indicates a request for a large amount of memory leads to OOM and the code triggers a DebugBreak to terminate the renderer. If somebody can confirm this is what happened from the attached data, then this bug can probably be closed as "Won't Fix".

Otherwise, we'll have to find a repro or analyze possible code paths to find out what happened.
Comment 1 Eric Seidel (no email) 2010-07-27 05:06:18 PDT
I suspect that it's possible with message ports to get a renderer to crash.
Comment 2 Adam Barth 2010-08-07 14:45:33 PDT
OOM => DebugBreak.  News at 11.