New issue
Advanced search Search tips

Issue 597846 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

ASSERTION FAILED: !std::isnan(static_cast<double>(value))

Project Member Reported by ClusterFuzz, Mar 24 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5263340766494720

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: !std::isnan(static_cast<double>(value))
  int clampTo<int, float>
  blink::LayoutUnit::fromFloatCeil
  

Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96zFdpGwsfkj11S5R1Vskd3NMdroGN1o9_Cbb5CrVOWZE6ZrXiWMmJTIGrOK6350zghe80SSc74KDfv9UJu_IUKPulMjOwX--pRw45wD6EYUjHlYP9nfYL5H5urXR-41tcaa1pB4RSz3X8LtDrnVELletJttw

Filer: manoranjanr

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: tkent@chromium.org
Components: Blink>Layout
Labels: findit-for-crash Te-Logged
Owner: dsinclair@chromium.org
Status: Assigned (was: Available)
Below is the list of suspected CLs from 'Findit'.

Author: bokan@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/ba05b7911b6c76eac70ba55263d8929a4962b236
Time: Thu Oct 23 20:05:30 2014
The CL last changed line 283 of file MathExtras.h, which is stack frame 0.

Author: pkasting@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/cc186ed9f09844abb68dcae97604fbdb52344025
Time: Mon Oct 13 20:04:47 2014
The CL last changed line 85 of file LayoutUnit.h, which is stack frame 1.

Author: eae@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/70e39074ac4ebdf18d406fbd56a5ddde4c8e989e
Time: Wed Nov 07 18:33:44 2012
The CL last changed line 219 of file LayoutPoint.h, which is stack frame 2.

Author: eae@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/70e39074ac4ebdf18d406fbd56a5ddde4c8e989e
Time: Wed Nov 07 18:33:44 2012
The CL last changed line 180 of file LayoutRect.cpp, which is stack frame 3.

Author: eae@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/ae36d4bf69ae9b7b4b1ebd96fd337742acbd1d29
Time: Tue Jun 11 18:21:08 2013
The CL last changed line 1089 of file ContainerNode.cpp, which is stack frame 4.

Author: dsinclair@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/132c5d0b92d80a549926b2876b597990493b21d0
Time: Sat Mar 07 00:31:43 2015
The CL last changed line 2412 of file Element.cpp, which is stack frame 5.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/d76505b8d68f4fffd18620d9ab1b4d19c467ec4c
Time: Thu Nov 19 10:34:51 2015
The CL last changed line 3663 of file Document.cpp, which is stack frame 6.

dsinclair@, could you please help us to find a right owner?

Thank you!

Comment 2 by tkent@chromium.org, Mar 24 2016

Cc: -tkent@chromium.org
Cc: schenney@chromium.org
Owner: e...@chromium.org
eae@ to triage for layout-dev.

Comment 5 by e...@chromium.org, Apr 19 2016

Status: Started (was: Assigned)

Comment 6 by e...@chromium.org, Apr 20 2016

Status: Fixed (was: Started)
Project Member

Comment 7 by bugdroid1@chromium.org, Apr 20 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fa1ff2fb43ff5538f6950be40cd7f3751af22678

commit fa1ff2fb43ff5538f6950be40cd7f3751af22678
Author: eae <eae@chromium.org>
Date: Wed Apr 20 00:25:34 2016

Handle very large transforms in ContainerNode::boundingBox

Change ContainerNode::boundingBox to explicitly check for and handle NaN
sizes. Very large matrix and scale transforms may result in a NaN value.

BUG= 597846 
TEST=fast/transforms/focus-on-transformed-node.htm
R=szager@chromium.org

Review URL: https://codereview.chromium.org/1903493003

Cr-Commit-Position: refs/heads/master@{#388374}

[add] https://crrev.com/fa1ff2fb43ff5538f6950be40cd7f3751af22678/third_party/WebKit/LayoutTests/fast/transforms/focus-on-transformed-node-expected.txt
[add] https://crrev.com/fa1ff2fb43ff5538f6950be40cd7f3751af22678/third_party/WebKit/LayoutTests/fast/transforms/focus-on-transformed-node.html
[modify] https://crrev.com/fa1ff2fb43ff5538f6950be40cd7f3751af22678/third_party/WebKit/Source/core/dom/ContainerNode.cpp

Project Member

Comment 8 by ClusterFuzz, Apr 20 2016

ClusterFuzz has detected this issue as fixed in range 388350:388383.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5263340766494720

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: !std::isnan(static_cast<double>(value))
  int clampTo<int, float>
  blink::LayoutUnit::fromFloatCeil
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=388350:388383

Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96zFdpGwsfkj11S5R1Vskd3NMdroGN1o9_Cbb5CrVOWZE6ZrXiWMmJTIGrOK6350zghe80SSc74KDfv9UJu_IUKPulMjOwX--pRw45wD6EYUjHlYP9nfYL5H5urXR-41tcaa1pB4RSz3X8LtDrnVELletJttw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment