New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 604609 link

Starred by 1 user
Status: Verified
Owner:
msten...@opera.com
NOT IN USE
Closed: Sep 2016
Cc:
ssamanoori@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

ASSERTION FAILED: logicalBottomInFlowThread >= m_logicalTopInFlowThread with large top padding/border and orphans

Reported by msten...@opera.com, Apr 19 2016 
ASSERTION FAILED: logicalBottomInFlowThread >= m_logicalTopInFlowThread
../../third_party/WebKit/Source/core/layout/MultiColumnFragmentainerGroup.h(57) : void blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread(blink::LayoutUnit)

#0  0x00000000038fed05 in blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread (this=0x25feaa01d630, logicalBottomInFlowThread=50px) at ../../third_party/WebKit/Source/core/layout/MultiColumnFragmentainerGroup.h:57
#1  0x00000000038fe480 in blink::LayoutMultiColumnSet::endFlow (this=0x2951f9e44178, offsetInFlowThread=50px) at ../../third_party/WebKit/Source/core/layout/LayoutMultiColumnSet.cpp:342
#2  0x00000000038fb41d in blink::LayoutMultiColumnFlowThread::layout (this=0x2951f9e341a0) at ../../third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp:975
#3  0x00000000038f9012 in blink::LayoutMultiColumnFlowThread::layoutColumns (this=0x2951f9e341a0, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp:434
#4  0x000000000384be36 in blink::LayoutBlockFlow::layoutSpecialExcludedChild (this=0x2951f9e24588, relayoutChildren=false, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:209
#5  0x0000000003851eef in blink::LayoutBlockFlow::layoutBlockChildren (this=0x2951f9e24588, relayoutChildren=false, layoutScope=..., beforeEdge=0px, afterEdge=0px) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1082
#6  0x000000000385a8c9 in blink::LayoutBlockFlow::layoutBlockFlow (this=0x2951f9e24588, relayoutChildren=false, pageLogicalHeight=0px, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:417
#7  0x000000000384ca49 in blink::LayoutBlockFlow::layoutBlock (this=0x2951f9e24588, relayoutChildren=false) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:325
#8  0x00000000038336e0 in blink::LayoutBlock::layout (this=0x2951f9e24588) at ../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:879
#9  0x000000000384d866 in blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded (this=0x2951f9e34010, child=..., newLogicalTop=16px, layoutInfo=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:596
#10 0x000000000384dbe7 in blink::LayoutBlockFlow::layoutBlockChild (this=0x2951f9e34010, child=..., layoutInfo=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:646
#11 0x0000000003852108 in blink::LayoutBlockFlow::layoutBlockChildren (this=0x2951f9e34010, relayoutChildren=true, layoutScope=..., beforeEdge=0px, afterEdge=0px) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1122
#12 0x000000000385a8c9 in blink::LayoutBlockFlow::layoutBlockFlow (this=0x2951f9e34010, relayoutChildren=true, pageLogicalHeight=1px, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:417
#13 0x000000000384ca49 in blink::LayoutBlockFlow::layoutBlock (this=0x2951f9e34010, relayoutChildren=false) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:325
#14 0x00000000038336e0 in blink::LayoutBlock::layout (this=0x2951f9e34010) at ../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:879
#15 0x00000000038be061 in blink::LayoutFlowThread::layout (this=0x2951f9e34010) at ../../third_party/WebKit/Source/core/layout/LayoutFlowThread.cpp:115
#16 0x00000000038fb2d6 in blink::LayoutMultiColumnFlowThread::layout (this=0x2951f9e34010) at ../../third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp:962
#17 0x00000000038f9012 in blink::LayoutMultiColumnFlowThread::layoutColumns (this=0x2951f9e34010, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp:434
#18 0x000000000384be36 in blink::LayoutBlockFlow::layoutSpecialExcludedChild (this=0x2951f9e24358, relayoutChildren=true, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:209
#19 0x0000000003851eef in blink::LayoutBlockFlow::layoutBlockChildren (this=0x2951f9e24358, relayoutChildren=true, layoutScope=..., beforeEdge=0px, afterEdge=0px) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1082
#20 0x000000000385a8c9 in blink::LayoutBlockFlow::layoutBlockFlow (this=0x2951f9e24358, relayoutChildren=true, pageLogicalHeight=0px, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:417
#21 0x000000000384ca49 in blink::LayoutBlockFlow::layoutBlock (this=0x2951f9e24358, relayoutChildren=false) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:325
#22 0x00000000038336e0 in blink::LayoutBlock::layout (this=0x2951f9e24358) at ../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:879
tc.html
311 bytes View Download

Comment 1 by msten...@opera.com, Apr 19 2016 

Also causes visible bugs without assertion failures.
tc-visual.html
522 bytes View Download

Comment 2 by msten...@opera.com, Apr 19 2016 

(and without specifying orphans and widows)
Project Member

Comment 3 by bugdroid1@chromium.org, Apr 19 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/69b27e85cdf52da2d0be4f011b92b77c461e12ab

commit 69b27e85cdf52da2d0be4f011b92b77c461e12ab
Author: mstensho <mstensho@opera.com>
Date: Tue Apr 19 22:10:51 2016

Make MultiColumnFragmentainerGroup::m_columnSet const.

Ideally, I'd like to get rid of the member altogether, but that would require a
lot of refactoring.

This is a preparatory patch for a fix for  bug 604609 .

BUG= 604609 

Review URL: https://codereview.chromium.org/1898293003

Cr-Commit-Position: refs/heads/master@{#388326}

[modify] https://crrev.com/69b27e85cdf52da2d0be4f011b92b77c461e12ab/third_party/WebKit/Source/core/layout/LayoutMultiColumnSet.cpp
[modify] https://crrev.com/69b27e85cdf52da2d0be4f011b92b77c461e12ab/third_party/WebKit/Source/core/layout/MultiColumnFragmentainerGroup.cpp
[modify] https://crrev.com/69b27e85cdf52da2d0be4f011b92b77c461e12ab/third_party/WebKit/Source/core/layout/MultiColumnFragmentainerGroup.h
Project Member

Comment 4 by ClusterFuzz, Apr 21 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6107231103221760

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: logicalBottomInFlowThread >= m_logicalTopInFlowThread
  blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread
  blink::LayoutMultiColumnSet::endFlow
  

Minimized Testcase (0.23 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96L3WiAVdYNgsL9dwYoGmMWQAfT0KhblDfc1ISwVlQaeP8REwKXB4iKENU2Bt4rtZTZ75I5P_9CHIXfkZ9WHwckXfuLviBk9zkXYdLou5qt0CmmVSvKdD_17BZTBAtK5DQH9OkkKYI-pfzPjcKu5um8hPkErA
<style>.mc {
    -webkit-columns: 2;
</style>
<div style="text-justify: inter-word; line-height:2em; " class=mc><div class=mc>!Cy
            <div>
<br>
<br>
<br>
                D<style>
* { animation-name: cfpulse85; max-height: 7pc;


Filer: ssamanoori

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 5 by msten...@opera.com, Apr 21 2016

Cc: ssamanoori@chromium.org
@ssamanoori - please move this fuzzer crash to a separate bug report. While it asserts on the same code line, the root cause is different.
Project Member

Comment 6 by ClusterFuzz, Apr 23 2016 

ClusterFuzz has detected this issue as fixed in range 388749:389333.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6107231103221760

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: logicalBottomInFlowThread >= m_logicalTopInFlowThread
  blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread
  blink::LayoutMultiColumnSet::endFlow
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=388749:389333

Minimized Testcase (0.23 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96L3WiAVdYNgsL9dwYoGmMWQAfT0KhblDfc1ISwVlQaeP8REwKXB4iKENU2Bt4rtZTZ75I5P_9CHIXfkZ9WHwckXfuLviBk9zkXYdLou5qt0CmmVSvKdD_17BZTBAtK5DQH9OkkKYI-pfzPjcKu5um8hPkErA
<style>.mc {
    -webkit-columns: 2;
</style>
<div style="text-justify: inter-word; line-height:2em; " class=mc><div class=mc>!Cy
            <div>
<br>
<br>
<br>
                D<style>
* { animation-name: cfpulse85; max-height: 7pc;


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Apr 28 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6288260904517632

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: logicalBottomInFlowThread >= m_logicalTopInFlowThread
  blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread
  blink::LayoutMultiColumnSet::endFlow
  

Minimized Testcase (0.31 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94ky1EmIRqDSjF3Ekr7L0JNepEKVTcQmy3R6yDRs5z3gPduKbuAND1OG5uy7rGtUZ-OwfM12-V_Sw2VeVDTxY3FnKdwo_IE0q6ork1DjZrxAWqRagZ71Us6dhOIx1s9H30PoMSgvzCsQ8ZjxQ6-zhAVVxHKeA

Filer: pucchakayala

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 8 by ClusterFuzz, Jun 6 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6348214672556032

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  logicalBottomInFlowThread >= m_logicalTopInFlowThread
  blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread
  blink::LayoutMultiColumnSet::endFlow
  

Minimized Testcase (0.30 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95C-uG1S1EigVOrN4usLiQmWvpkap8Fj-A_FtM0i3E8-_DVrAbI9oiEpLNXzNwbf-ESdib4niqcsmGT-jsb35sF-nJ6Fh6Lq6qs-eYeEneYCbdD8G1tOWb7qBWvwcHgqwrzKbg8AVP3rItIjSYNO86-8LzIww
"Caught: " + e; <style>
   body {
    -webkit-column-width: 50px;
  </style>
<style>
   table { border-spacing:0; line-height:1em; }
tr { break-inside:avoid;</style>
<div style="columns:2; column-fill:auto; height:3.9em;">
   <table>
     <td>
       <br/>
      <br/>
    </tr>
       <br/>
       <br/>


Filer: ashejole

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 9 by ClusterFuzz, Jun 21 2016 

ClusterFuzz has detected this issue as fixed in range 400924:400972.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6348214672556032

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  logicalBottomInFlowThread >= m_logicalTopInFlowThread
  blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread
  blink::LayoutMultiColumnSet::endFlow
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=400924:400972

Minimized Testcase (0.58 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97I9AYztg2dBnJ_Ao6XVR_mtL2H5tG7nn2VyGVujAzjXzn_yWZTJ48JRaC4ENp6NbeOPOqteOq1E2K8wM2Is9cJdxBGbyES4xyBuSKfwboU3sX8F22CZo5nb8OWBqCaiLNK5zZC5nynjavC3n8WRC07mxxg1g?testcase_id=6348214672556032

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 10 by msten...@opera.com, Aug 8 2016 

With my test case (tc.html) I now get this failure:

ASSERTION FAILED: isFirstAfterBreak(lineTopInFlowThread) || !line.paginationStrut() || !isLogicalTopWithinBounds(lineTopInFlowThread - line.paginationStrut())
Project Member

Comment 11 by ClusterFuzz, Sep 22 2016 

ClusterFuzz has detected this issue as fixed in range 420031:420042.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6288260904517632

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  logicalBottomInFlowThread >= m_logicalTopInFlowThread
  blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread
  blink::LayoutMultiColumnSet::endFlow
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=385949:385978
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=420031:420042

Minimized Testcase (0.31 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97D9Q50e6BjPvGybUv9PRUhE0VxuCykED9t2399tNfv1JuchdWhD-bYOZyPOWD8QPsLUQWMwmJ_q0nauo95AnxaCDUg0e-PB-YyGdlV-I4OiQBhofvQnS8HQYv6LU--S0a3XF3MayRMLZ_hayOQd2KRDhZaSA?testcase_id=6288260904517632

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by ClusterFuzz, Sep 22 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 13 by msten...@opera.com, Sep 22 2016 

Yeah, got fixed by https://codereview.chromium.org/2359733002

Sign in to add a comment