Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: chrishtr@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/73fb2b6d4cc0669c6d606b79d38e37ed7988c041
Time: Thu May 08 22:18:10 2014
The CL last changed line 2107 of file CompositedLayerMapping.cpp, which is stack frame 0.

Author: chrishtr@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/3a1e29e8c191570773b452e5dde2d8cb2cf07804
Time: Tue May 20 22:20:15 2014
The CL last changed line 676 of file CompositedLayerMapping.cpp, which is stack frame 1.

Author: chrishtr@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/56263f18af36065eb5c70b601cdfd65650728d14
Time: Thu Jun 19 00:22:47 2014
The CL last changed line 722 of file CompositedLayerMapping.cpp, which is stack frame 2.

Author: vollick@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/5c71784f502e13a7bdcf7f421d3061d5b661562d
Time: Sat Jul 26 05:14:17 2014
The CL last changed line 101 of file GraphicsLayerUpdater.cpp, which is stack frame 3.

Author: abarth@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/dc46981faf924c3fbecf6aaffede85559364d3a9
Time: Tue Jun 24 20:03:35 2014
The CL last changed line 111 of file GraphicsLayerUpdater.cpp, which is stack frame 4.

Author: abarth@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/dc46981faf924c3fbecf6aaffede85559364d3a9
Time: Tue Jun 24 20:03:35 2014
The CL last changed line 111 of file GraphicsLayerUpdater.cpp, which is stack frame 5.

Author: abarth@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/dc46981faf924c3fbecf6aaffede85559364d3a9
Time: Tue Jun 24 20:03:35 2014
The CL last changed line 111 of file GraphicsLayerUpdater.cpp, which is stack frame 6.

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-Compositing


Looping in chromium//src/third_party/WebKit/Source/core/layout/OWNERS as none of the CL's abvove are recent.

@chrishtr, can you please assign this accordingly ?

The proximate cause is that the div with id tCF11 is squashed into the one with
id tCF7 on the first frame. On the second frame, the modal dialog is applied,
which changes the layout tree. Compositing tries to update all PaintLayers to
apply the new compositing, but tCF11 is not found in the PaintLayerTree for some
reason. It looks like something is getting messed up with multicolumn in the
presence of top layers.

Morten could you look? I think you know this code best.

Attaching cleaned up test case, which still seems to crash like the original test (I get an ASSERT(ancestorPaintInfo) failure in CompositedLayerMapping::localClipRectForSquashedLayer()).

I tried to simplify it further, but then I got it to crash/assert at other places, so I'll stop here for now.

Paginating the viewport (which puts EVERYTHING inside a flow thread child of LayoutView) may be a poisonous combination with Element::setIsInTopLayer(), but I don't know yet.

Deleted: tc.html 688 bytes

tc.html 688 bytes View Download

Remove legacy label cr-blink

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5088116829847552

Fuzzer: inferno_twister
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x000000000000
Crash State:
  blink::CompositedLayerMapping::localClipRectForSquashedLayer
  blink::CompositedLayerMapping::updateSquashingLayerGeometry
  blink::CompositedLayerMapping::updateGraphicsLayerGeometry
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=379568:379622

Minimized Testcase (2.85 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97IRb5bJEuqgCcKoVse7I0cQQHFcUIvyJ-_oihrkWO4WCDpAD3gYuUHaItKTdg5KIt8QKF37F3WzIG1bdB3bjDKcNAFGhzP9I3ZibiFCIffjICY5AITfvkymZZATrzDDm0ZTN4C8q3LiYSxoH-sptF1apfF9w

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5233aa994b11d17c287311089234f58dbbead280

commit 5233aa994b11d17c287311089234f58dbbead280
Author: mstensho <mstensho@opera.com>
Date: Thu Apr 07 21:40:19 2016

Make top-layer elements work also when the viewport is paginated.

When the viewport is paginated (by overflow:-webkit-paged-* specified on HTML
or BODY), top-layer elements are redirected to a flow thread, along with
everything else. So we have to go through the children of the flow thread, not
the children of the layout view, when looking for them.

BUG= 594306 

Review URL: https://codereview.chromium.org/1850153002

Cr-Commit-Position: refs/heads/master@{#385883}

[add] https://crrev.com/5233aa994b11d17c287311089234f58dbbead280/third_party/WebKit/LayoutTests/fast/pagination/modal-dialog-crash-expected.txt
[add] https://crrev.com/5233aa994b11d17c287311089234f58dbbead280/third_party/WebKit/LayoutTests/fast/pagination/modal-dialog-crash.html
[add] https://crrev.com/5233aa994b11d17c287311089234f58dbbead280/third_party/WebKit/LayoutTests/fast/pagination/modal-dialog-expected.html
[add] https://crrev.com/5233aa994b11d17c287311089234f58dbbead280/third_party/WebKit/LayoutTests/fast/pagination/modal-dialog.html
[modify] https://crrev.com/5233aa994b11d17c287311089234f58dbbead280/third_party/WebKit/Source/core/paint/PaintLayerStackingNode.cpp

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot