ASSERTION FAILED: logicalBottomInFlowThread >= m_logicalTopInFlowThread with large top padding/border and orphans
Reported by
msten...@opera.com,
Apr 19 2016
|
|||
Issue descriptionASSERTION FAILED: logicalBottomInFlowThread >= m_logicalTopInFlowThread ../../third_party/WebKit/Source/core/layout/MultiColumnFragmentainerGroup.h(57) : void blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread(blink::LayoutUnit) #0 0x00000000038fed05 in blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread (this=0x25feaa01d630, logicalBottomInFlowThread=50px) at ../../third_party/WebKit/Source/core/layout/MultiColumnFragmentainerGroup.h:57 #1 0x00000000038fe480 in blink::LayoutMultiColumnSet::endFlow (this=0x2951f9e44178, offsetInFlowThread=50px) at ../../third_party/WebKit/Source/core/layout/LayoutMultiColumnSet.cpp:342 #2 0x00000000038fb41d in blink::LayoutMultiColumnFlowThread::layout (this=0x2951f9e341a0) at ../../third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp:975 #3 0x00000000038f9012 in blink::LayoutMultiColumnFlowThread::layoutColumns (this=0x2951f9e341a0, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp:434 #4 0x000000000384be36 in blink::LayoutBlockFlow::layoutSpecialExcludedChild (this=0x2951f9e24588, relayoutChildren=false, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:209 #5 0x0000000003851eef in blink::LayoutBlockFlow::layoutBlockChildren (this=0x2951f9e24588, relayoutChildren=false, layoutScope=..., beforeEdge=0px, afterEdge=0px) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1082 #6 0x000000000385a8c9 in blink::LayoutBlockFlow::layoutBlockFlow (this=0x2951f9e24588, relayoutChildren=false, pageLogicalHeight=0px, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:417 #7 0x000000000384ca49 in blink::LayoutBlockFlow::layoutBlock (this=0x2951f9e24588, relayoutChildren=false) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:325 #8 0x00000000038336e0 in blink::LayoutBlock::layout (this=0x2951f9e24588) at ../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:879 #9 0x000000000384d866 in blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded (this=0x2951f9e34010, child=..., newLogicalTop=16px, layoutInfo=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:596 #10 0x000000000384dbe7 in blink::LayoutBlockFlow::layoutBlockChild (this=0x2951f9e34010, child=..., layoutInfo=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:646 #11 0x0000000003852108 in blink::LayoutBlockFlow::layoutBlockChildren (this=0x2951f9e34010, relayoutChildren=true, layoutScope=..., beforeEdge=0px, afterEdge=0px) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1122 #12 0x000000000385a8c9 in blink::LayoutBlockFlow::layoutBlockFlow (this=0x2951f9e34010, relayoutChildren=true, pageLogicalHeight=1px, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:417 #13 0x000000000384ca49 in blink::LayoutBlockFlow::layoutBlock (this=0x2951f9e34010, relayoutChildren=false) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:325 #14 0x00000000038336e0 in blink::LayoutBlock::layout (this=0x2951f9e34010) at ../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:879 #15 0x00000000038be061 in blink::LayoutFlowThread::layout (this=0x2951f9e34010) at ../../third_party/WebKit/Source/core/layout/LayoutFlowThread.cpp:115 #16 0x00000000038fb2d6 in blink::LayoutMultiColumnFlowThread::layout (this=0x2951f9e34010) at ../../third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp:962 #17 0x00000000038f9012 in blink::LayoutMultiColumnFlowThread::layoutColumns (this=0x2951f9e34010, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp:434 #18 0x000000000384be36 in blink::LayoutBlockFlow::layoutSpecialExcludedChild (this=0x2951f9e24358, relayoutChildren=true, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:209 #19 0x0000000003851eef in blink::LayoutBlockFlow::layoutBlockChildren (this=0x2951f9e24358, relayoutChildren=true, layoutScope=..., beforeEdge=0px, afterEdge=0px) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1082 #20 0x000000000385a8c9 in blink::LayoutBlockFlow::layoutBlockFlow (this=0x2951f9e24358, relayoutChildren=true, pageLogicalHeight=0px, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:417 #21 0x000000000384ca49 in blink::LayoutBlockFlow::layoutBlock (this=0x2951f9e24358, relayoutChildren=false) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:325 #22 0x00000000038336e0 in blink::LayoutBlock::layout (this=0x2951f9e24358) at ../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:879
,
Apr 19 2016
(and without specifying orphans and widows)
,
Apr 19 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/69b27e85cdf52da2d0be4f011b92b77c461e12ab commit 69b27e85cdf52da2d0be4f011b92b77c461e12ab Author: mstensho <mstensho@opera.com> Date: Tue Apr 19 22:10:51 2016 Make MultiColumnFragmentainerGroup::m_columnSet const. Ideally, I'd like to get rid of the member altogether, but that would require a lot of refactoring. This is a preparatory patch for a fix for bug 604609 . BUG= 604609 Review URL: https://codereview.chromium.org/1898293003 Cr-Commit-Position: refs/heads/master@{#388326} [modify] https://crrev.com/69b27e85cdf52da2d0be4f011b92b77c461e12ab/third_party/WebKit/Source/core/layout/LayoutMultiColumnSet.cpp [modify] https://crrev.com/69b27e85cdf52da2d0be4f011b92b77c461e12ab/third_party/WebKit/Source/core/layout/MultiColumnFragmentainerGroup.cpp [modify] https://crrev.com/69b27e85cdf52da2d0be4f011b92b77c461e12ab/third_party/WebKit/Source/core/layout/MultiColumnFragmentainerGroup.h
,
Apr 21 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6107231103221760 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: ASSERTION FAILED: logicalBottomInFlowThread >= m_logicalTopInFlowThread blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread blink::LayoutMultiColumnSet::endFlow Minimized Testcase (0.23 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96L3WiAVdYNgsL9dwYoGmMWQAfT0KhblDfc1ISwVlQaeP8REwKXB4iKENU2Bt4rtZTZ75I5P_9CHIXfkZ9WHwckXfuLviBk9zkXYdLou5qt0CmmVSvKdD_17BZTBAtK5DQH9OkkKYI-pfzPjcKu5um8hPkErA <style>.mc { -webkit-columns: 2; </style> <div style="text-justify: inter-word; line-height:2em; " class=mc><div class=mc>!Cy <div> <br> <br> <br> D<style> * { animation-name: cfpulse85; max-height: 7pc; Filer: ssamanoori See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 21 2016
@ssamanoori - please move this fuzzer crash to a separate bug report. While it asserts on the same code line, the root cause is different.
,
Apr 23 2016
ClusterFuzz has detected this issue as fixed in range 388749:389333. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6107231103221760 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: ASSERTION FAILED: logicalBottomInFlowThread >= m_logicalTopInFlowThread blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread blink::LayoutMultiColumnSet::endFlow Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=388749:389333 Minimized Testcase (0.23 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96L3WiAVdYNgsL9dwYoGmMWQAfT0KhblDfc1ISwVlQaeP8REwKXB4iKENU2Bt4rtZTZ75I5P_9CHIXfkZ9WHwckXfuLviBk9zkXYdLou5qt0CmmVSvKdD_17BZTBAtK5DQH9OkkKYI-pfzPjcKu5um8hPkErA <style>.mc { -webkit-columns: 2; </style> <div style="text-justify: inter-word; line-height:2em; " class=mc><div class=mc>!Cy <div> <br> <br> <br> D<style> * { animation-name: cfpulse85; max-height: 7pc; See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 28 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6288260904517632 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: ASSERTION FAILED: logicalBottomInFlowThread >= m_logicalTopInFlowThread blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread blink::LayoutMultiColumnSet::endFlow Minimized Testcase (0.31 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94ky1EmIRqDSjF3Ekr7L0JNepEKVTcQmy3R6yDRs5z3gPduKbuAND1OG5uy7rGtUZ-OwfM12-V_Sw2VeVDTxY3FnKdwo_IE0q6ork1DjZrxAWqRagZ71Us6dhOIx1s9H30PoMSgvzCsQ8ZjxQ6-zhAVVxHKeA Filer: pucchakayala See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 6 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6348214672556032 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: logicalBottomInFlowThread >= m_logicalTopInFlowThread blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread blink::LayoutMultiColumnSet::endFlow Minimized Testcase (0.30 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95C-uG1S1EigVOrN4usLiQmWvpkap8Fj-A_FtM0i3E8-_DVrAbI9oiEpLNXzNwbf-ESdib4niqcsmGT-jsb35sF-nJ6Fh6Lq6qs-eYeEneYCbdD8G1tOWb7qBWvwcHgqwrzKbg8AVP3rItIjSYNO86-8LzIww "Caught: " + e; <style> body { -webkit-column-width: 50px; </style> <style> table { border-spacing:0; line-height:1em; } tr { break-inside:avoid;</style> <div style="columns:2; column-fill:auto; height:3.9em;"> <table> <td> <br/> <br/> </tr> <br/> <br/> Filer: ashejole See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 21 2016
ClusterFuzz has detected this issue as fixed in range 400924:400972. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6348214672556032 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: logicalBottomInFlowThread >= m_logicalTopInFlowThread blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread blink::LayoutMultiColumnSet::endFlow Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=400924:400972 Minimized Testcase (0.58 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97I9AYztg2dBnJ_Ao6XVR_mtL2H5tG7nn2VyGVujAzjXzn_yWZTJ48JRaC4ENp6NbeOPOqteOq1E2K8wM2Is9cJdxBGbyES4xyBuSKfwboU3sX8F22CZo5nb8OWBqCaiLNK5zZC5nynjavC3n8WRC07mxxg1g?testcase_id=6348214672556032 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 8 2016
With my test case (tc.html) I now get this failure: ASSERTION FAILED: isFirstAfterBreak(lineTopInFlowThread) || !line.paginationStrut() || !isLogicalTopWithinBounds(lineTopInFlowThread - line.paginationStrut())
,
Sep 22 2016
ClusterFuzz has detected this issue as fixed in range 420031:420042. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6288260904517632 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: logicalBottomInFlowThread >= m_logicalTopInFlowThread blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread blink::LayoutMultiColumnSet::endFlow Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=385949:385978 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=420031:420042 Minimized Testcase (0.31 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97D9Q50e6BjPvGybUv9PRUhE0VxuCykED9t2399tNfv1JuchdWhD-bYOZyPOWD8QPsLUQWMwmJ_q0nauo95AnxaCDUg0e-PB-YyGdlV-I4OiQBhofvQnS8HQYv6LU--S0a3XF3MayRMLZ_hayOQd2KRDhZaSA?testcase_id=6288260904517632 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 22 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 22 2016
Yeah, got fixed by https://codereview.chromium.org/2359733002 |
|||
►
Sign in to add a comment |
|||
Comment 1 by msten...@opera.com
, Apr 19 2016522 bytes
522 bytes View Download