Crash in cc::LayerImpl::SetTransformOrigin |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5198430221107200 Fuzzer: attekett_dom_fuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000044 Crash State: cc::LayerImpl::SetTransformOrigin cc::Layer::PushPropertiesTo cc::PictureLayer::PushPropertiesTo Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=382185:382786 Minimized Testcase (0.25 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97zS2SbfjQ5NK1UQvlpY_J2GiT56TuqIpXyzLgY1KMvUbildEqFPji8n6X7_BrFsAZStwafYGS7a4ir7AsZAp7YXbFCT0fvCN_okip9FxceBdpwrhlMfo7FkYXBdY3BlbfSgCRJJpCtDRdMXDaf6-u_-9iSUQ <embed id="lappy" height="78" TYPE="application/x-shockwave-flash" </script> <script> var test0=document.getElementById("lappy") test0.style['border-bottom-right-radius']='6px'; setInterval(function(){ document.body.style.zoom=3.5428020181134343 }) </script> Filer: ligimole See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 29 2016
,
Mar 31 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/11cb9635daf8326b02a752f51f92785dc6c220f2 commit 11cb9635daf8326b02a752f51f92785dc6c220f2 Author: jaydasika <jaydasika@chromium.org> Date: Thu Mar 31 00:37:08 2016 cc : Fix bug in tree synchronization when mask layer changes This CL also moves an out-of-place DCHECK. BUG= 598875 CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel Review URL: https://codereview.chromium.org/1850453002 Cr-Commit-Position: refs/heads/master@{#384160} [modify] https://crrev.com/11cb9635daf8326b02a752f51f92785dc6c220f2/cc/layers/layer.cc [modify] https://crrev.com/11cb9635daf8326b02a752f51f92785dc6c220f2/cc/layers/layer_impl.cc [modify] https://crrev.com/11cb9635daf8326b02a752f51f92785dc6c220f2/cc/layers/layer_impl.h [modify] https://crrev.com/11cb9635daf8326b02a752f51f92785dc6c220f2/cc/trees/layer_tree_host_unittest.cc [modify] https://crrev.com/11cb9635daf8326b02a752f51f92785dc6c220f2/cc/trees/tree_synchronizer.cc
,
Mar 31 2016
,
Jun 9 2016
ClusterFuzz has detected this issue as fixed in range 383194:384380. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5198430221107200 Fuzzer: attekett_dom_fuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000044 Crash State: cc::LayerImpl::SetTransformOrigin cc::Layer::PushPropertiesTo cc::PictureLayer::PushPropertiesTo Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=382185:382786 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=383194:384380 Minimized Testcase (0.25 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94g48bqJKU3xwxos1Onh02URaAvdzh5lQ6Oa8pZhH4aqHK6bSKzbBWJxxDEIL7lxL_yEf3stc22IPY2B7u8O-Wecvz7lW4l9rj0lA3oudL4Di3KMrWqPt_D7P_7yYb-gDBi_llVnYTjHRCnVbZ5dF7qs70fEA <embed id="lappy" height="78" TYPE="application/x-shockwave-flash" </script> <script> var test0=document.getElementById("lappy") test0.style['border-bottom-right-radius']='6px'; setInterval(function(){ document.body.style.zoom=3.5428020181134343 }) </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by ligim...@chromium.org
, Mar 29 2016Owner: jaydasika@chromium.org
Status: Assigned (was: Available)