New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 591938 link

Starred by 0 users
Status: WontFix
Owner:
le...@chromium.org
Last visit > 30 days ago
Closed: Jun 2016
Cc:
ranjitkan@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Crash in blink::LayoutTextControl::computeLogicalHeight

Project Member Reported by ClusterFuzz, Mar 4 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4599608524668928

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000008
Crash State:
  blink::LayoutTextControl::computeLogicalHeight
  blink::LayoutBox::updateLogicalHeight
  blink::LayoutBlockFlow::layoutBlockFlow
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=378866:378919

Minimized Testcase (0.46 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95esNyu5wK9jKRUDXXIwamX-zivXTVDe0rOvny_mZSR-GiQFPx7a91dRFYhHWqJOUk86oUo-XP2butEDzh0S1acDjxi9QL2CaTR4A9NBk5PgzjqFS2aay6ZAar1KGnUqfSlpCs-dBQFjA1gnN9r2NHpfOPW6w
<video id=v><script>
    var video = document.getElementById('v');
    var videoShadow = window.internals.shadowRoot(video);
    traverse(videoShadow);
function traverse(node) {
    if (!node)
        return;
    if (node.attributes)
        Array.prototype.forEach.call(node.attributes, function (n) { node[n && n.localName] = 2; });
        Array.prototype.forEach.call(node.childNodes, traverse);
        traverse(window.internals.shadowRoot(node));
}
</script>


Filer: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ranjitkan@chromium.org, Mar 4 2016

Cc: ranjitkan@chromium.org
Components: Blink>Layout
Labels: -Pri-1 -Type-Bug findit-for-crash M-51 Te-Logged Type-Bug-Regression Pri-2
Owner: le...@chromium.org
Status: Assigned (was: Available)
Author: leviw
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/b66c49fa179e76970cc9cf4500fee1f9f0ff2cb8
Time: Thu Mar 03 01:30:11 2016
Lines 2372 of file LayoutBox.cpp which potentially caused crash are changed in this cl (frame #5, "content_shell!blink::LayoutBox::updateLogicalHeight+0xb2").
Minimum distance from crash line to modified line: 0. (file: LayoutBox.cpp, crashed on: 2372, modified: 2372).

@leviw: Request you to please take a look into it. Please help us to reassign if not with respect to your change.
Project Member

Comment 2 by ClusterFuzz, Mar 4 2016 

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4599608524668928

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000008
Crash State:
  blink::LayoutTextControl::computeLogicalHeight
  blink::LayoutBox::updateLogicalHeight
  blink::LayoutBlockFlow::layoutBlockFlow
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=378866:378919

Minimized Testcase (0.46 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95esNyu5wK9jKRUDXXIwamX-zivXTVDe0rOvny_mZSR-GiQFPx7a91dRFYhHWqJOUk86oUo-XP2butEDzh0S1acDjxi9QL2CaTR4A9NBk5PgzjqFS2aay6ZAar1KGnUqfSlpCs-dBQFjA1gnN9r2NHpfOPW6w
<video id=v><script>
    var video = document.getElementById('v');
    var videoShadow = window.internals.shadowRoot(video);
    traverse(videoShadow);
function traverse(node) {
    if (!node)
        return;
    if (node.attributes)
        Array.prototype.forEach.call(node.attributes, function (n) { node[n && n.localName] = 2; });
        Array.prototype.forEach.call(node.childNodes, traverse);
        traverse(window.internals.shadowRoot(node));
}
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by ClusterFuzz, Apr 1 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4556011058233344

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000008
Crash State:
  blink::LayoutTextControl::computeLogicalHeight
  blink::LayoutBox::updateLogicalHeight
  blink::LayoutBlockFlow::layoutBlockFlow
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=384213:384232

Minimized Testcase (0.56 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv949VRLES-Zmi1vBgTH9jTQrB3uIBJcMNO__bkV4z2ifZ-8eAmy-TRVun9OLFNf5V604QbvWgTcdFTw8pRbCBEaSaLxPri6QSDgCLn9mRD-SrnQuyPUUuHjVg78ET9hWaTS3YGL50DFaaCRvdCHptgEPfRlYhQ
<video id=v>
<script>
"Verify that removing a video element from the DOM does not crash.";
    var video = document.getElementById('v');
    var videoShadow = window.internals.shadowRoot(video);
    traverse(videoShadow);

function traverse(node) {
    if (!node)
        return;
    if (node.attributes)
        Array.prototype.forEach.call(node.attributes, function (n) { node[n && n.localName] = 2; });
        Array.prototype.forEach.call(node.childNodes, traverse);

        traverse(window.internals.shadowRoot(node));
}
window.onload = runTest;
</script>


Filer: pbommana

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 4 by ClusterFuzz, Apr 2 2016 

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4556011058233344

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000008
Crash State:
  blink::LayoutTextControl::computeLogicalHeight
  blink::LayoutBox::updateLogicalHeight
  blink::LayoutBlockFlow::layoutBlockFlow
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=384213:384232

Minimized Testcase (0.56 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv949VRLES-Zmi1vBgTH9jTQrB3uIBJcMNO__bkV4z2ifZ-8eAmy-TRVun9OLFNf5V604QbvWgTcdFTw8pRbCBEaSaLxPri6QSDgCLn9mRD-SrnQuyPUUuHjVg78ET9hWaTS3YGL50DFaaCRvdCHptgEPfRlYhQ
<video id=v>
<script>
"Verify that removing a video element from the DOM does not crash.";
    var video = document.getElementById('v');
    var videoShadow = window.internals.shadowRoot(video);
    traverse(videoShadow);

function traverse(node) {
    if (!node)
        return;
    if (node.attributes)
        Array.prototype.forEach.call(node.attributes, function (n) { node[n && n.localName] = 2; });
        Array.prototype.forEach.call(node.childNodes, traverse);

        traverse(window.internals.shadowRoot(node));
}
window.onload = runTest;
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 5 by e...@chromium.org, Jun 3 2016

Status: WontFix (was: Assigned)
Closing as per inability to reproduce. Even clsuerfuzz can't repro it anymore.
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment