Issue metadata
Sign in to add a comment
|
ASSERTION FAILED: !object || (object->isBox()) |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5710636675235840 Fuzzer: bj_broddelwerk Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: ASSERTION FAILED: !object || (object->isBox()) blink::valueForPositionOffset blink::ComputedStyleCSSValueMapping::get Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=385470:385989 Minimized Testcase (1.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96tjUEekqGFAF-RlwyYVG8J9ILajHxS7sU3c-aC1EQWOgNwbi912p4B--oaTOHHoGMoVw3rJhyTjiEVnKa2ai1MwlH6HNimzMt_5dlhUEyV-U2UF0rFpbZwK0tqlvDPoL_VAPKs3WOFKX9Zr_8yGqZwCUJ1Rw Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 11 2016
LayoutObject change is suspicious so +wangxianzhu could you take a look?
,
May 11 2016
,
May 11 2016
,
May 11 2016
I don't think this is a recent regression. Clusterfuzz's regression range is not trustworthy (bug 540799).
Attached a reduced test case.
It seems that valueForPositionOffset() mistakenly assumes that an positioned object with position properties is a LayoutBox, but it's actually a LayoutInline ('dfn', with 'position: relative; bottom: 1%).
,
May 23 2016
keishi@: any update on this security bug? Thanks!
,
May 25 2016
keishi: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 26 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5980828698148864 Uploader: aarya@google.com Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Bad-cast Crash Address: 0x2bbeadc3c000 Crash State: Bad-cast to const blink::LayoutBox from blink::LayoutInline LayoutBox.h:1136:1 Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=388178:388349 Minimized Testcase (1.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv965rtlgicR366qxAKRLQ5o-fwtlpvVc1vmq5qgvz7Mh01gKTCKQuI6rxIeMfD1A5L6aZxumaJXUJU-ZIDct9AWpbEWjmKeptaLg-9yM63xDWIsx2jHUL1EJrx0EcHCNHILvEemobZNEouTFbsNiq-BJtrg40w Filer: aarya See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 26 2016
,
May 27 2016
Could the Layout team look at this? If layoutObject->isBox() is true why could it be a LayoutInline?
,
May 27 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5045782088777728 Uploader: aarya@google.com Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x3b06aa83c000 Crash State: Bad-cast to const blink::LayoutBox from blink::LayoutInline LayoutBox.h:1136:1 Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=388178:388349 Minimized Testcase (1.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94MhOh8r-hIy1fO2fFtftcagtGdD4GgAqAIsFsYqYALWUTpPkzi-g5TydzD8MFpNIIsYQvwvvjllHmXSWHsJj-YhU7qnGDNbwCMymEg9kKIFPk7RJ8TngfaM2TNXPW8K7u2_QaM-iqqavtrcpWp22yYC7Lj2g Filer: aarya See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 27 2016
regression range with both chrome and content shell comes out as https://chromium.googlesource.com/chromium/src/+log/e17c9bf09576c44cc42c768204419e0dbf5fb9ab..a5feb1b78ec66b66f8aee604c3695c73863c2a34?pretty=fuller. Lets try guessing the culprit, if we find it, we can just revert.
,
May 27 2016
Verified locally that regresse is f3b023bb8511c3734d1207e9cf78c61f67826af0 [https://chromium.googlesource.com/chromium/src//+/f3b023bb8511c3734d1207e9cf78c61f67826af0%5E%21/#F11]. we can't revert it since another change went on top of it [https://chromium.googlesource.com/chromium/src//+/c8291dea8bfa84ab9a3220fb9f57eb059e913a05].
,
May 27 2016
The CL is a reland of https://codereview.chromium.org/1826423003. khart@codeaurora.org can you take a look? You can use the test case in #5 to reproduce the bug.
,
May 27 2016
khart@codeaurora.org, you just need to add layoutObject->isBox() at the three places in your patch. See its cast check use in other places in this file as well.
,
Jun 2 2016
khart@codeaurora.org: Please take a look at this security bug and let us know an ETA for the fix. Thanks!
,
Jun 3 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5045782088777728 Uploader: aarya@google.com Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x3b06aa83c000 Crash State: Bad-cast to const blink::LayoutBox from blink::LayoutInline LayoutBox.h:1136:1 Recommended Security Severity: High Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97Tkoag4MrQrc2Tiwu9_cITAQHglARK48gFbKwGUnwS9BIpwHiZy7-PYkUMW9TSwaVS9PwEvzNszlh7cyGXaOWCSeUq8z59M_ny-p3SzY-qWM5nhX8yBAdybHu54zSzJqVJL4qwTwCkdL5brPnFLyi1Sr4-iw See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 8 2016
khart: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 8 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5045782088777728 Uploader: aarya@google.com Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x09bf1303c000 Crash State: Bad-cast to const blink::LayoutBox from blink::LayoutInline blink::valueForPositionOffset blink::ComputedStyleCSSValueMapping::get Recommended Security Severity: High Minimized Testcase (1.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97yIjxN2O6eHwUcZZkG13OJSvL7WIsi2WHOPmhozQhLfhdaJOwPANKW2tYMfwqlSw-zJzudNnzOZ7NBbKzZOEsOiJdoIxkgMSQjH_O5BV1Ojex3LaCPa45Bp8I3UY43pSj54HJQMC3sdnES6Cxt70T1kN_txA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 12 2016
wangxianzhu@chromium.org - can you please revert or fix as per c#15 ?
,
Jun 12 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5466499896836096 Uploader: inferno@chromium.org Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x34ef3f63c000 Crash State: Bad-cast to const blink::LayoutBox from blink::LayoutInline blink::valueForPositionOffset blink::CSSComputedStyleDeclaration::getPropertyCSSValue Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=385466:385470 Minimized Testcase (1.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ag9BG-F-u1omqs-zPGEIRkX5I-WmDQy5dsxZAjtwPSCx6RuxJtJCE7h2dUVYG3uj8-9cNA-tnmCCX0C0CcDwduEEexlRZ80JjA3Nm2-xEHPaGhvocuWa2SV2iKfYVj5xSgLvdzIawi9fcJqoTT1Y8Rqxypg Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 12 2016
Sorry I'm not familiar with styling system and not sure if adding isLayoutBox check is correct for styling, that is, whether the getComputedStyle rule apply to relative-positioned inline objects. timloh@ can you take a look?
,
Jun 16 2016
Issue 619369 has been merged into this issue.
,
Jun 16 2016
Any update on this bug as it is marked as M52 stable blocker?
,
Jun 27 2016
Sorry for being out-of-contact, looking at this now.
,
Jun 27 2016
** IMPORTANT change in M52 merge date due to first 2 weeks of July no release weeks ** M52 Stable is launching very soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged ASAP. All changes MUST be merged into the release branch by 5pm on July 1 to make into the desktop Stable final build cut. Thank you!
,
Jun 27 2016
,
Jun 29 2016
Uploading a new patch shortly, but relative-positioned inline objects are not returning used values as they should per the spec. I've tried every variant of container and width I could think of, but I can't get the width of the container of a non-box layout object. (everything returns 0). So I can't calculate the used value for a % or calc value for left or right. layoutObject->containingBlock()->availableLogicalHeight(ExcludeMarginBorderPadding) seems to work for the height. If anyone can point me in the right direction I'd love to get everything returning used values.
,
Jul 1 2016
M52 Stable is launching very soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged ASAP. All changes MUST be merged into the release branch by 5pm on July 8th (in case if you missed today's 5:00 PM PST deadline) to make into the desktop Stable final build cut. Thank you!
,
Jul 2 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5980828698148864 Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Bad-cast Crash Address: 0x2bbeadc3c000 Crash State: Bad-cast to const blink::LayoutBox from blink::LayoutInline LayoutBox.h:1136:1 Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=388178:388349 Minimized Testcase (1.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv965rtlgicR366qxAKRLQ5o-fwtlpvVc1vmq5qgvz7Mh01gKTCKQuI6rxIeMfD1A5L6aZxumaJXUJU-ZIDct9AWpbEWjmKeptaLg-9yM63xDWIsx2jHUL1EJrx0EcHCNHILvEemobZNEouTFbsNiq-BJtrg40w?testcase_id=5980828698148864 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 2 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5980828698148864 Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Bad-cast Crash Address: 0x2bbeadc3c000 Crash State: Bad-cast to const blink::LayoutBox from blink::LayoutInline LayoutBox.h:1136:1 Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=388178:388349 Minimized Testcase (1.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv965rtlgicR366qxAKRLQ5o-fwtlpvVc1vmq5qgvz7Mh01gKTCKQuI6rxIeMfD1A5L6aZxumaJXUJU-ZIDct9AWpbEWjmKeptaLg-9yM63xDWIsx2jHUL1EJrx0EcHCNHILvEemobZNEouTFbsNiq-BJtrg40w?testcase_id=5980828698148864 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 2 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5466499896836096 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x34ef3f63c000 Crash State: Bad-cast to const blink::LayoutBox from blink::LayoutInline blink::valueForPositionOffset blink::CSSComputedStyleDeclaration::getPropertyCSSValue Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=385470:385504 Minimized Testcase (1.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ag9BG-F-u1omqs-zPGEIRkX5I-WmDQy5dsxZAjtwPSCx6RuxJtJCE7h2dUVYG3uj8-9cNA-tnmCCX0C0CcDwduEEexlRZ80JjA3Nm2-xEHPaGhvocuWa2SV2iKfYVj5xSgLvdzIawi9fcJqoTT1Y8Rqxypg?testcase_id=5466499896836096 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 2 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5045782088777728 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x09bf1303c000 Crash State: Bad-cast to const blink::LayoutBox from blink::LayoutInline blink::valueForPositionOffset blink::ComputedStyleCSSValueMapping::get Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=388178:388349 Minimized Testcase (1.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97yIjxN2O6eHwUcZZkG13OJSvL7WIsi2WHOPmhozQhLfhdaJOwPANKW2tYMfwqlSw-zJzudNnzOZ7NBbKzZOEsOiJdoIxkgMSQjH_O5BV1Ojex3LaCPa45Bp8I3UY43pSj54HJQMC3sdnES6Cxt70T1kN_txA?testcase_id=5045782088777728 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 2 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5980828698148864 Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Bad-cast Crash Address: 0x2bbeadc3c000 Crash State: Bad-cast to const blink::LayoutBox from blink::LayoutInline LayoutBox.h:1136:1 Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=388178:388349 Minimized Testcase (1.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv965rtlgicR366qxAKRLQ5o-fwtlpvVc1vmq5qgvz7Mh01gKTCKQuI6rxIeMfD1A5L6aZxumaJXUJU-ZIDct9AWpbEWjmKeptaLg-9yM63xDWIsx2jHUL1EJrx0EcHCNHILvEemobZNEouTFbsNiq-BJtrg40w?testcase_id=5980828698148864 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 8 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/86d16a615d6e9abf6d991f430b496c26a4271d10 commit 86d16a615d6e9abf6d991f430b496c26a4271d10 Author: khart <khart@codeaurora.org> Date: Fri Jul 08 09:44:13 2016 Fix getComputedStyle for non-box-layout elements This fixes a crash introduced by https://codereview.chromium.org/1826423003/ Code that treated a layout object as a Box layout were not properly guarded by isBox. This caused a crash when calling getComputedStyle on positioned non-box elements, e.g. <ruby>. R=mstensho@opera.com BUG= 610986 Review-Url: https://codereview.chromium.org/2102843002 Cr-Commit-Position: refs/heads/master@{#404336} [modify] https://crrev.com/86d16a615d6e9abf6d991f430b496c26a4271d10/third_party/WebKit/LayoutTests/fast/css/getComputedStyle/getComputedStyle-resolved-values-expected.txt [modify] https://crrev.com/86d16a615d6e9abf6d991f430b496c26a4271d10/third_party/WebKit/LayoutTests/fast/css/getComputedStyle/getComputedStyle-resolved-values.html [modify] https://crrev.com/86d16a615d6e9abf6d991f430b496c26a4271d10/third_party/WebKit/Source/core/css/ComputedStyleCSSValueMapping.cpp
,
Jul 8 2016
Landed https://codereview.chromium.org/2102843002, please verify and close bug.
,
Jul 8 2016
ClusterFuzz has detected this issue as fixed in range 404238:404340. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5710636675235840 Fuzzer: bj_broddelwerk Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: !object || (object->isBox()) blink::valueForPositionOffset blink::ComputedStyleCSSValueMapping::get Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=385470:385989 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=404238:404340 Minimized Testcase (1.29 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97XrnRbG-3mYQ6T-SQ5Xuq_J9-bUczQ7UKH8P92gg_OBvnt--cnq2exfsjXwX538QczSI5AVvSYXAmdUTNHrCrsNJ9tBk-vYUqRl217KVGZyPqVDZX01gWmBGAz7qmazeWN6y7jsJyu60uUAr4-VK4mK07A6g?testcase_id=5710636675235840 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 8 2016
ClusterFuzz has detected this issue as fixed in range 404238:404340. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5045782088777728 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x09bf1303c000 Crash State: Bad-cast to const blink::LayoutBox from blink::LayoutInline blink::valueForPositionOffset blink::ComputedStyleCSSValueMapping::get Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=388178:388349 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=404238:404340 Minimized Testcase (1.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97yIjxN2O6eHwUcZZkG13OJSvL7WIsi2WHOPmhozQhLfhdaJOwPANKW2tYMfwqlSw-zJzudNnzOZ7NBbKzZOEsOiJdoIxkgMSQjH_O5BV1Ojex3LaCPa45Bp8I3UY43pSj54HJQMC3sdnES6Cxt70T1kN_txA?testcase_id=5045782088777728 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 8 2016
ClusterFuzz has detected this issue as fixed in range 404238:404340. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5466499896836096 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x34ef3f63c000 Crash State: Bad-cast to const blink::LayoutBox from blink::LayoutInline blink::valueForPositionOffset blink::CSSComputedStyleDeclaration::getPropertyCSSValue Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=385470:385504 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=404238:404340 Minimized Testcase (1.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ag9BG-F-u1omqs-zPGEIRkX5I-WmDQy5dsxZAjtwPSCx6RuxJtJCE7h2dUVYG3uj8-9cNA-tnmCCX0C0CcDwduEEexlRZ80JjA3Nm2-xEHPaGhvocuWa2SV2iKfYVj5xSgLvdzIawi9fcJqoTT1Y8Rqxypg?testcase_id=5466499896836096 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 8 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 9 2016
,
Jul 21 2016
,
Jul 22 2016
+awhalley@ whether to take this merge in for M53 Dev release on Tuesday (07/26). Fix has been verified by ClusterFuzz.
,
Jul 22 2016
,
Jul 22 2016
Your change meets the bar and is auto-approved for M53 (branch: 2785)
,
Jul 22 2016
Please merge your change to M53 branch 2785 before 5:00 PM PDT Monday (07/25) so it gets picked for next week M53 Dev release. Thank you.
,
Jul 25 2016
Please merge your change to M53 branch 2785 before 5:00 PM PDT today (Monday) so we can pick up for last M53 Dev release tomorrow. Thank you.
,
Jul 25 2016
Won't make this week's M52, but requesting merge in case we roll again.
,
Jul 25 2016
[Automated comment] Less than a week to go before stable on M52, we might already have a stable candidate build. Manual review required.
,
Jul 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/77bd3be00df2154feecd4b13e1acced865a286e8 commit 77bd3be00df2154feecd4b13e1acced865a286e8 Author: Greg Kerr <kerrnel@chromium.org> Date: Mon Jul 25 23:57:02 2016 [merge to m53] Fix getComputedStyle for non-box-layout elements This fixes a crash introduced by https://codereview.chromium.org/1826423003/ Code that treated a layout object as a Box layout were not properly guarded by isBox. This caused a crash when calling getComputedStyle on positioned non-box elements, e.g. <ruby>. R=mstensho@opera.com BUG= 610986 Review-Url: https://codereview.chromium.org/2102843002 Cr-Commit-Position: refs/heads/master@{#404336} (cherry picked from commit 86d16a615d6e9abf6d991f430b496c26a4271d10) Review URL: https://codereview.chromium.org/2177243004 . Cr-Commit-Position: refs/branch-heads/2785@{#347} Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382} [modify] https://crrev.com/77bd3be00df2154feecd4b13e1acced865a286e8/third_party/WebKit/LayoutTests/fast/css/getComputedStyle/getComputedStyle-resolved-values-expected.txt [modify] https://crrev.com/77bd3be00df2154feecd4b13e1acced865a286e8/third_party/WebKit/LayoutTests/fast/css/getComputedStyle/getComputedStyle-resolved-values.html [modify] https://crrev.com/77bd3be00df2154feecd4b13e1acced865a286e8/third_party/WebKit/Source/core/css/ComputedStyleCSSValueMapping.cpp
,
Jul 28 2016
Baked in dev long enough to request merge to M52.
,
Jul 28 2016
Approving merge to M52 branch 2743 based on comment #53. Please merge ASAP. Thank you.
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/80f75d22cbf0e231b11e1edc23de2bcbe506c9e6 commit 80f75d22cbf0e231b11e1edc23de2bcbe506c9e6 Author: awhalley <awhalley@chromium.org> Date: Fri Jul 29 18:43:04 2016 [Merge to M52] Fix getComputedStyle for non-box-layout elements This fixes a crash introduced by https://codereview.chromium.org/1826423003/ Code that treated a layout object as a Box layout were not properly guarded by isBox. This caused a crash when calling getComputedStyle on positioned non-box elements, e.g. <ruby>. BUG= 610986 Review-Url: https://codereview.chromium.org/2102843002 Cr-Commit-Position: refs/heads/master@{#404336} (cherry picked from commit 86d16a615d6e9abf6d991f430b496c26a4271d10) NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true Review-Url: https://codereview.chromium.org/2194933002 Cr-Commit-Position: refs/branch-heads/2743@{#709} Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939} [modify] https://crrev.com/80f75d22cbf0e231b11e1edc23de2bcbe506c9e6/third_party/WebKit/LayoutTests/fast/css/getComputedStyle/getComputedStyle-resolved-values-expected.txt [modify] https://crrev.com/80f75d22cbf0e231b11e1edc23de2bcbe506c9e6/third_party/WebKit/LayoutTests/fast/css/getComputedStyle/getComputedStyle-resolved-values.html [modify] https://crrev.com/80f75d22cbf0e231b11e1edc23de2bcbe506c9e6/third_party/WebKit/Source/core/css/ComputedStyleCSSValueMapping.cpp
,
Oct 15 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, May 11 2016Components: Blink>CSS
Labels: M-52 Pri-2
Owner: keishi@chromium.org