Suspected CLs	Regression information is not available. The result is the blame information.

Author: justing
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/e1ef4102dc60ec0a5b713d8fabc023555621cb60
Time: Fri Jun 09 04:57:51 2006
The CL last changed line 1247 of file CompositeEditCommand.cpp, which is stack frame 0.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4ee37b1afc847d9504c046f20602709a98e921dc
Time: Mon Feb 15 07:36:39 2016
The CL last changed line 711 of file DeleteSelectionCommand.cpp, which is stack frame 1.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4ee37b1afc847d9504c046f20602709a98e921dc
Time: Mon Feb 15 07:36:39 2016
The CL last changed line 894 of file DeleteSelectionCommand.cpp, which is stack frame 2.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/141f0e9340ec887e341ba89a712c6539205a8292
Time: Tue Feb 09 12:09:23 2016
The CL last changed line 255 of file CompositeEditCommand.cpp, which is stack frame 3.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7f6bd2b6a8e6e4858afd1f1b23d768030a01af69
Time: Wed Feb 10 02:54:06 2016
The CL last changed line 621 of file CompositeEditCommand.cpp, which is stack frame 4.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/ebfda00cca02ba3f16493b29f996121cdf265993
Time: Tue Feb 16 04:13:35 2016
The CL last changed line 165 of file InsertParagraphSeparatorCommand.cpp, which is stack frame 5.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/141f0e9340ec887e341ba89a712c6539205a8292
Time: Tue Feb 09 12:09:23 2016
The CL last changed line 255 of file CompositeEditCommand.cpp, which is stack frame 6.

Suspected Component: chromium

https://chromium.googlesource.com/chromium/src//+/88719a882e81c1f008c8cbf89584a25769458a31 ?

@wangxianzhu:  Hey, would you mind checking the above issue and see if it's related to your change.

Feel free to re-assign to concern dev if that is not the case.

I really appreciate your help.

Thank you!

I believe this is not caused by my change (which just changed some names), but I will investigate it because it's a paint invalidation bug.

Removing the bisect label as there are no manual repro steps.

Feel free to add it back if there is any repro steps or test html file for the above issue.

Thank you!

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5757563173339136

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: !currContainer->hasTransformRelatedProperty()
  blink::LayoutObject::offsetFromAncestorContainer
  blink::LayoutBox::mapToVisualRectInAncestorSpace
  

Minimized Testcase (0.16 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97_-bB41kGAXPEprcXEZ66mBInXJk83MLRQcc3flbaIQYmyBv9mdfuFtYK5Cl8ivFHNa1JIKYjpniBIOI8pUDkQwDRCXUnI0tD3Uzeavgt4YRD9nTDzRa_gTMG1SAG68PZeZUsQYNjCqrn1aPbH6jaqqgCqRQ
<style>
   div {
        transform: rotateY(30deg) rotateX(-30deg);
</style>
 <div style="-webkit-columns:6;">
   <div>
    <table style="-webkit-column-span:all;">


Filer: pucchakayala

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

This is related to multi-column and tranform.

mstensho@opera.com, can you take a look?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e704e736d1dd462a20930d09e311e350c1a7724c

commit e704e736d1dd462a20930d09e311e350c1a7724c
Author: mstensho <mstensho@opera.com>
Date: Fri Apr 22 19:25:11 2016

Don't allow column spanners inside transforms.

Spanners want the multicol container as their containing block. Transforms want
to be the containing block of everything inside. Since it's not possible to
fulfill both wishes, just refuse objects to become spanners when inside
transforms. We already do the same when inside out-of-flow objects, and also
for anything that establishes a new formatting context.

BUG= 596863 

Review URL: https://codereview.chromium.org/1908393002

Cr-Commit-Position: refs/heads/master@{#389207}

[add] https://crrev.com/e704e736d1dd462a20930d09e311e350c1a7724c/third_party/WebKit/LayoutTests/fast/multicol/span/invalid-spanner-in-transform-expected.html
[add] https://crrev.com/e704e736d1dd462a20930d09e311e350c1a7724c/third_party/WebKit/LayoutTests/fast/multicol/span/invalid-spanner-in-transform.html
[modify] https://crrev.com/e704e736d1dd462a20930d09e311e350c1a7724c/third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp

ClusterFuzz has detected this issue as fixed in range 388749:389339.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5499527838040064

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: !currContainer->hasTransformRelatedProperty()
  blink::LayoutObject::offsetFromAncestorContainer
  blink::LayoutBox::mapToVisibleRectInAncestorSpace
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=388749:389339

Minimized Testcase (0.19 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94T4hty2EAgg_P3gi4nxvLFerRX99dSICPQgMgt-TRGOYTUAPk8CSIoJ3NH0YHHXHyn1bFvt_4w9r1ORKUWZsgVSjYnlioh8EfmUQoN6AqB5m6sbWbE9spIlmGd36zCNB7t-k_e2QLrw1NxcfGS85TMOqvRSg
<style>
    #camera {
    }
    #container {
        transform: translateZ(800px)
  </style>
  <div style="-webkit-columns:2;">
   <div id="container">
    <div style="-webkit-column-span:all;">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 388749:389333.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5757563173339136

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: !currContainer->hasTransformRelatedProperty()
  blink::LayoutObject::offsetFromAncestorContainer
  blink::LayoutBox::mapToVisualRectInAncestorSpace
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=388749:389333

Minimized Testcase (0.16 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97_-bB41kGAXPEprcXEZ66mBInXJk83MLRQcc3flbaIQYmyBv9mdfuFtYK5Cl8ivFHNa1JIKYjpniBIOI8pUDkQwDRCXUnI0tD3Uzeavgt4YRD9nTDzRa_gTMG1SAG68PZeZUsQYNjCqrn1aPbH6jaqqgCqRQ
<style>
   div {
        transform: rotateY(30deg) rotateX(-30deg);
</style>
 <div style="-webkit-columns:6;">
   <div>
    <table style="-webkit-column-span:all;">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot