ASSERTION FAILED: m_fragmentainerGroups.size() == 1 |
|||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5160422128222208 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: ASSERTION FAILED: m_fragmentainerGroups.size() == 1 blink::LayoutMultiColumnSet::pageLogicalHeightForOffset blink::LayoutFlowThread::pageLogicalHeightForOffset Minimized Testcase (0.49 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95sGGtsGYtLqUxAtYK3Zw-GrpJZJXX0gFg8go67mnitCcH3dF4V_Iaki8BZhNLlZwCFMvApuGWK1DZyrFss7LZcJ1TfoOHSbS1MK_YHKFSGcv-vWn4LF6pI--q0cQOQ3PXO2KpMNdrXvdjM74kHfGqpo3TFxw Filer: pucchakayala See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 18 2016
Remove legacy label cr-blink
,
Mar 23 2016
,
Apr 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9958b7d0b612a7b1bbea85f1c8f2825faa5cebb6 commit 9958b7d0b612a7b1bbea85f1c8f2825faa5cebb6 Author: mstensho <mstensho@opera.com> Date: Fri Apr 15 07:11:08 2016 Don't call paginatedContentWasLaidOut() until we have the final layout. Blocks may need relayout because of pagination, and calling paginatedContentWasLaidOut() before that has taken place could make us account for a leading pagination strut twice (once before the block child, and once before the first line inside the block). In a nested multicol context this could trigger creation of additional fragmentainer groups that will be unneeded in the end. This fixes the assertion mentioned in bug 594833 , but new ones will pop up instead, because of brokenness in the column balancer. That will be fixed in a separate CL. BUG= 594833 Review URL: https://codereview.chromium.org/1883163002 Cr-Commit-Position: refs/heads/master@{#387548} [add] https://crrev.com/9958b7d0b612a7b1bbea85f1c8f2825faa5cebb6/third_party/WebKit/LayoutTests/fast/multicol/nested-balanced-with-strut-before-first-line-expected.html [add] https://crrev.com/9958b7d0b612a7b1bbea85f1c8f2825faa5cebb6/third_party/WebKit/LayoutTests/fast/multicol/nested-balanced-with-strut-before-first-line.html [modify] https://crrev.com/9958b7d0b612a7b1bbea85f1c8f2825faa5cebb6/third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp
,
Apr 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5b65a57f38f0260e21b8ec190d201ae2504d73e5 commit 5b65a57f38f0260e21b8ec190d201ae2504d73e5 Author: mstensho <mstensho@opera.com> Date: Mon Apr 18 23:16:17 2016 Support multiple fragmentainer groups per ColumnBalancer run. Instead of specifying a fragmentainer group for the operation, we now specify a column set and a flow thread portion (which may be the portion of one group or many contiguous groups within the same column set). The reason for this change is that when calculating space shortage in an inner multicol container, we need to walk through all fragmentainer groups in one operation, or we'll miss the column boundaries between the fragmentainer groups, and only find those that lie between two columns in the same fragmentainer group. This is especially bad if the inner multicol container only has one column per fragmentainer group (row), since then *all* column boundaries lie between two fragmentainer groups, and we wouldn't be able to find any shortage at all. BUG= 594833 Review URL: https://codereview.chromium.org/1891783002 Cr-Commit-Position: refs/heads/master@{#388070} [add] https://crrev.com/5b65a57f38f0260e21b8ec190d201ae2504d73e5/third_party/WebKit/LayoutTests/fast/multicol/nested-balanced-inner-column-count-1-with-forced-break-expected.html [add] https://crrev.com/5b65a57f38f0260e21b8ec190d201ae2504d73e5/third_party/WebKit/LayoutTests/fast/multicol/nested-balanced-inner-column-count-1-with-forced-break.html [modify] https://crrev.com/5b65a57f38f0260e21b8ec190d201ae2504d73e5/third_party/WebKit/Source/core/layout/ColumnBalancer.cpp [modify] https://crrev.com/5b65a57f38f0260e21b8ec190d201ae2504d73e5/third_party/WebKit/Source/core/layout/ColumnBalancer.h [modify] https://crrev.com/5b65a57f38f0260e21b8ec190d201ae2504d73e5/third_party/WebKit/Source/core/layout/MultiColumnFragmentainerGroup.cpp
,
Apr 19 2016
,
Jun 14 2016
Clusterfuzz has detected the issue again, hence re-opening the same.
,
Jun 14 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6441796590895104 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: m_fragmentainerGroups.size() == 1 blink::LayoutMultiColumnSet::pageLogicalHeightForOffset blink::LayoutFlowThread::pageLogicalHeightForOffset Minimized Testcase (0.12 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94G-FQXjTjbkwkJvK2wCC_BWgTpHerqyq1kCkZCf-R_PClUi-7GtPv53uOAo6RByZ6qdAGHhgCjwsN85AG7JiA5iGLxHQtOcUb_2ZmvkA6rzBsiB3SRPsf7P-BVUHWBeYesZVppdEswA93pdWyq0b7Q7EbVwQ class="constrainedContainer"> <div class="columns1And2"</div> <div> <style> * { -webkit-columns: 10ex; Filer: durga.behera See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 8 2016
#9 reproduced, while my tc.html still works fine.
,
Sep 23 2016
ClusterFuzz has detected this issue as fixed in range 420372:420465. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6441796590895104 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: m_fragmentainerGroups.size() == 1 blink::LayoutMultiColumnSet::pageLogicalHeightForOffset blink::LayoutFlowThread::pageLogicalHeightForOffset Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=384799:384804 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=420372:420465 Minimized Testcase (0.12 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94LMzaqDhc2CMJLD-0n93mrLGRdvNhWkRgfr6iE1RK-kz34KeiuNW1HSLalgL-Ok0gIxLX91Xe0qqgaF31bzfUzrZFiGIv7EEnAfQsAynR-gtItyQXdZY7rQjJ4dWnnPn5UrVzgjyfX3igVekN5lNWovuOAFA?testcase_id=6441796590895104 class="constrainedContainer"> <div class="columns1And2"</div> <div> <style> * { -webkit-columns: 10ex; See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 23 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 28 2016
#9 still reproducible here.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 14 2016
Not a security bug and not happening in the wild, reducing priority.
,
Feb 17 2017
Still reproducible.
,
Jun 19 2017
Works fine now. |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by pucchakayala@chromium.org
, Mar 14 2016Owner: msten...@opera.com
Status: Assigned (was: Available)