43041 – cross_fuzz WTF::Vector<...>::reserveCapacity DebugBreak (e59d9e1bc9ba856e181342fbfc4517c9)

RESOLVED WONTFIX 43041

cross_fuzz WTF::Vector<...>::reserveCapacity DebugBreak (e59d9e1bc9ba856e181342fbfc4517c9)

https://bugs.webkit.org/show_bug.cgi?id=43041

Summary cross_fuzz WTF::Vector<...>::reserveCapacity DebugBreak (e59d9e1bc9ba856e1813...

Berend-Jan Wever

Reported 2010-07-27 04:31:48 PDT

Created attachment 62680 [details] Details A new fuzzer by lcamtuf described in bug 43040 produced the attached crash. We have no repro for now. Initial analysis of the attached info indicates a request for a large amount of memory leads to OOM and the code triggers a DebugBreak to terminate the renderer. If somebody can confirm this is what happened from the attached data, then this bug can probably be closed as "Won't Fix". Otherwise, we'll have to find a repro or analyze possible code paths to find out what happened.

Attachments
Details (193.47 KB, text/html) 2010-07-27 04:31 PDT, Berend-Jan Wever	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Eric Seidel (no email)

Comment 1 2010-07-27 05:06:18 PDT

I suspect that it's possible with message ports to get a renderer to crash. http://trac.webkit.org/browser/trunk/JavaScriptCore/wtf/Vector.h#L864

Adam Barth

Comment 2 2010-08-07 14:45:33 PDT

OOM => DebugBreak. News at 11.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution WONTFIX

Priority P1

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware PC

OS Windows Vista

Product WebKit

Component DOM

Assignee

Nobody

Reported

2010-07-27 04:31 PDT

Modified

2014-03-02 04:17 PST History

CC List

5 users Show

URL

http://code.google.com/p/chromium/issues/detail?id=50206

Keywords

Depends on

Blocks

42959

Dependencies

tree graph