New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 606293 link

Starred by 0 users
Status: Verified
Owner:
msten...@opera.com
NOT IN USE
Closed: Sep 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

ASSERTION FAILED: isFirstAfterBreak(lineTopInFlowThread) || !line.paginationStru

Project Member Reported by ClusterFuzz, Apr 25 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5874160424714240

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: isFirstAfterBreak(lineTopInFlowThread) || !line.paginationStru
  blink::InitialColumnHeightFinder::examineLine
  blink::ColumnBalancer::traverseSubtree
  

Minimized Testcase (0.39 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95UljlHlIIJTapOJ-iSRsLLzJlV7o6Lrlz-uRrtYID0uLJ_JKWzCBFKJ0TM6iqdw55UwdzzlBcW7XbyRRefT8SVjIuh0R3pfE8L_S8pRU9YOIeRkYmNb-clsmrgGW20-fPeFdPLZvUHd-zoA-HX0ZZ1FK-Igw
  <style>
   #test {
}
div div {
	background: white;
	width: 300px;

	display: flex;
	flex-wrap: wrap;
}
p {
	color: white;
	margin: 1em;
	width: 200px;
  </style>
  <div id="test">
   <div>
    <p>
<p>
     damer
    <p>
     damer
    </p>
    <p>
     damer
  <style>
   html, body { -webkit-column-count: 2000000000; -webkit-column-width: 0; }
  </style>
  // Functions overridden for fuzzing.


Filer: kavvaru

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by kavvaru@chromium.org, Apr 25 2016

Components: Tools>Test>FindIt>NoResult Blink
Labels: Te-Logged M-51
Owner: msten...@opera.com
Status: Assigned (was: Available)
Findit tool information
=====================
Exception while running FindIt:
Traceback (most recent call last):
File "/mnt/scratch0/clusterfuzz/src/tools/suspected_cl.py", line 197, in main
**keyword_args))
File "/mnt/scratch0/clusterfuzz/src/tools/findit/findit_for_clusterfuzz.py", line 331, in FindCulpritCLs
crashing_component_repo_url)
File "/mnt/scratch0/clusterfuzz/src/tools/findit/deps_wrapper.py", line 361, in GetParsedDeps
GetChromiumComponentToCrashRevisionDict(chrome_crash_revision))
File "/mnt/scratch0/clusterfuzz/src/tools/findit/deps_wrapper.py", line 167, in GetChromiumComponentToCrashRevisionDict
chrome_crash_revision)
File "/mnt/scratch0/clusterfuzz/src/tools/findit/chromium_deps.py", line 142, in GetChromiumComponents
deps, deps_os = _ParseDEPS(deps_content)
File "/mnt/scratch0/clusterfuzz/src/tools/findit/chromium_deps.py", line 39, in _ParseDEPS
exec(content, global_scope, local_scope)
File "", line 91, in 
NameError: name 'From' is not defined
=============================

Through code search on file "ColumnBalancer.cpp" suspecting the below change
https://chromium.googlesource.com/chromium/src/+/5b65a57f38f0260e21b8ec190d201ae2504d73e5%5E%21/

mstensho @ could you please look into this issue if it is related to your change,else please help us in finding the appropriate owner for this issue.

Thanks,

Comment 2 by msten...@opera.com, Apr 25 2016 

Not caused by that change, but certainly something for me to fix, nevertheless.

Comment 3 by msten...@opera.com, Apr 25 2016 

Probably triggered by https://codereview.chromium.org/1909233002/ , but that just means that it's an older bug, that could just as easily be reproduced by specifying "orphans:2; widows:2;" in the test.

Comment 4 by msten...@opera.com, Apr 25 2016 

Looks like we have issues in general when fragmenting a flexbox. See bug 606350. May have to fix that first.

Comment 5 by jianli@chromium.org, Apr 25 2016

Components: -Blink Blink>Layout>Flexbox

Comment 6 by e...@chromium.org, Jun 28 2016

Labels: -Pri-1 Pri-2
Project Member

Comment 7 by ClusterFuzz, Sep 21 2016 

ClusterFuzz has detected this issue as fixed in range 392720:392734.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5874160424714240

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  isFirstAfterBreak(lineTopInFlowThread) || !line.paginationStrut() || !isLogicalT
  blink::InitialColumnHeightFinder::examineLine
  blink::ColumnBalancer::traverseSubtree
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=361738:361835
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=392720:392734

Minimized Testcase (0.24 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94HQhZwKEjNTrI_3ylKyghHpG6FioAIjraEFXB1ZukTJRuvahIuyi82Fn2iXy8ICUTvRnBiaYG5Iy8M99qvXLd2S-KGDsOzr8P8LjWtPYsR_kmwKJ2fJtdFlMvFvbStihFd7gpEzEKaYE6zZx8--mzzX06Bqw?testcase_id=5874160424714240
<style>
   #test {
}
div div {
	width: 300px;
	display: flex;
	flex-wrap: wrap;
}
p {
	width: 200px;
</style>
  <div>
   <div>
     damer
    </p>
    <style>
   html, body { -webkit-column-count: 2000000000;</style>
   This test should not crash.


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Sep 21 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 9 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>NoResult
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment