Author: danakj
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/55d0a18194e3abe3ef52f48f021fa677c4803153
Time: Tue Mar 08 21:33:26 2016
Files FrameView.cpp, Element.cpp are changed in this cl (and is part of stack frame #19, "blink::FrameView::updateLifecyclePhasesInternal"; frame #20, "blink::FrameView::updateAllLifecyclePhases")
Minimum distance from crash line to modified line: 2. (file: Element.cpp, crashed on: 1548, modified: 1550).

The lines I changed had to do with scrolling. I don't think the enum name matters. But there is some scroll-related change in that list. https://chromium.googlesource.com/chromium/src/+/d0eaee288867a6e00e4a9c3fa65d28e4de9e922a

This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz

I don't think my CL would have caused this crash. My CL has to do with scrolling, more precisely taking over animations from CC. AFAICT, the minimized test case doesn't have any scrolling and the stacktrace suggests a layout issue.

I tried to repro this locally, but wasn't successful.

@eae, can you please re-assign this as necessary?

r379762 (https://codereview.chromium.org/1769903002) is the only change in that range that looks related. Would you mind taking a look rune?

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5755589686198272

Fuzzer: mbarbella_js_mutation_layout
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0xffffffff
Crash State:
  blink::PaintLayerReflectionInfo::updateAfterStyleChange
  blink::PaintLayer::styleChanged
  blink::LayoutBoxModelObject::styleDidChange
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_content_shell&range=379564:379959

Minimized Testcase (0.07 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97nSGetEC-stEO39M_gFP_zWGJ71xG-M2cUWUGkfG7WRDPyuJVtA5DkcpoBmbm0pXLzzZKuO516yq0XmP0wsxZQzWU1hC5S1V1Xc0W0F2Aw2EgNdTMX3gnlGLQ3lsciogugiwS3Keq1bE34oAn2jflOIcHAhA
<style>
   div {
        -webkit-box-reflect: below;
  </style>
  <div>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Never mind.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot