Find it tool information
==============
The result is a list of CLs that change the crashed files.

Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/ebfc536321dddcab1696da3d87edf9115026be42
Time: Tue Apr 26 07:39:58 2016
Lines 1828 of file LayoutBlockFlowLine.cpp which potentially caused crash are changed in this cl (frame #1, "blink::LayoutBlockFlow::checkPaginationAndFloatsAtEndLine").
Minimum distance from crash line to modified line: 0. (file: LayoutBlockFlowLine.cpp, crashed on: 1828, modified: 1828).

Suspected Project: chromium
Suspected Component: Blink>Layout
===================

mstensho@ could you please look into this issue if it is related to your change,else please route this to an appropriate owner for this issue.

Thnaks,

Yes, this crash is caused by that commit.

Issue 607473 has been merged into this issue.

Users experienced this crash on the following builds:

Win Canary 52.0.2719.0 -  0.47 CPM, 3 reports, 2 clients (signature blink::LayoutBlockFlow::checkPaginationAndFloatsAtEndLine)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7c96d3817765ae0d848bdf2962c7cc1c52384848

commit 7c96d3817765ae0d848bdf2962c7cc1c52384848
Author: mstensho <mstensho@opera.com>
Date: Thu Apr 28 22:25:27 2016

Old lines may be detached / extracted during layout.

Back out over-simplified code from https://codereview.chromium.org/1915803004/

Since lines from an old layout pass that haven't yet been relaid out may not be
in the line box list at all at some given point during layout, lastRootBox()
didn't work as expected. It would either return the wrong last-line, or even
nullptr.

BUG= 607451 

Review-Url: https://codereview.chromium.org/1927913002
Cr-Commit-Position: refs/heads/master@{#390508}

[add] https://crrev.com/7c96d3817765ae0d848bdf2962c7cc1c52384848/third_party/WebKit/LayoutTests/fast/block/float/remove-line-above-float-above-line-crash-expected.txt
[add] https://crrev.com/7c96d3817765ae0d848bdf2962c7cc1c52384848/third_party/WebKit/LayoutTests/fast/block/float/remove-line-above-float-above-line-crash.html
[modify] https://crrev.com/7c96d3817765ae0d848bdf2962c7cc1c52384848/third_party/WebKit/Source/core/layout/LayoutBlockFlowLine.cpp

ClusterFuzz has detected this issue as fixed in range 390456:390527.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4695450237534208

Fuzzer: marty_html_twiddler
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000058
Crash State:
  blink::LayoutBlockFlow::checkPaginationAndFloatsAtEndLine
  blink::LayoutBlockFlow::matchedEndLine
  blink::LayoutBlockFlow::layoutRunsAndFloatsInRange
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=389686:389722
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=390456:390527

Minimized Testcase (0.84 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97By6G3aboaF9bueMHyipJz-Rpuqk8D39mEyEglIrNWqMeZ5EFS3IUlDzqPOhukm8RZC-CP8GRywYnk-NNOECiBQDaon61KaCEtGfAzqgVY_31cH3MTVJGYaIoyaW_bSdU_pog6mhzzAQhQdZhUJdm8CpW7FQ
<style>
.c0 { display: compact; border-style: solid; }
.c3:not(table) { float: left; }
.c13 { overflow: scroll; padding-right: 100%;</style>
<script>
var nodes = Array();
var text = Array();
 nodes[55] = document.createElement('h1'); 
 nodes[58] = document.createElement('em'); 
 nodes[58].setAttribute('class', 'c13'); 
 document.documentElement.appendChild(nodes[58]); 
 nodes[59] = document.createElement('progress'); 
 nodes[59].setAttribute('class', 'c3'); 
 document.documentElement.appendChild(nodes[59]); 
 nodes[60] = document.createElement('sup'); 
 nodes[60].setAttribute('class', 'c0'); 
 document.documentElement.appendChild(nodes[60]); 
 text[40] = document.createTextNode('arnulzktbhfscgwcacdqxkasrazwgeivljuzxhspesajoddkdplzvey'); 
setTimeout('try { nodes[55].appendChild(nodes[58]); } catch(e) {}');
 nodes[58].appendChild(text[40]); 
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot