New issue
Advanced search Search tips

Issue 611354 link

Starred by 0 users
Status: Duplicate
Merged: issue 611060
Owner:
wangxianzhu@chromium.org
Closed: May 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Crash in blink::PaintLayer::clearClipRectsCache

Project Member Reported by ClusterFuzz, May 12 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5160482612183040

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000098
Crash State:
  blink::PaintLayer::clearClipRectsCache
  blink::PaintLayerClipper::clearClipRectsIncludingDescendants
  blink::LayoutBoxModelObject::styleWillChange
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=392834:392865

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97thcfYoK7E4cVvXFnvqBRF6BxbBH9Ets4x64tm78dNx8oL4sBfrdqejpAoFoyOFT8q5Fl1z6yjerWL-eof1DoxXcT8wzfEDBhWecFdfVHrHpowf2-cFZ7ZPnPZu_UEtD9CUa7ZnyJscOvurDWMDrpeZl_SdHex940l8EGL051kWDS0wx8


Filer: rnimmagadda

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by rnimmagadda@chromium.org, May 12 2016

Components: Blink>Layout Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 findit-for-crash Te-Logged M-52 Pri-2
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Available)
Author: wangxianzhu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/2848739b13b1f454930307439ba00ddd55bb9b40
Time: Wed May 11 05:33:37 2016
Lines 169 of file LayoutBoxModelObject.cpp which potentially caused crash are changed in this cl (frame #3, "blink::LayoutBoxModelObject::styleWillChange").

File LayoutBox.cpp is changed in this cl (and is part of stack frame #4, "blink::LayoutBox::styleWillChange")
Minimum distance from crash line to modified line: 0. (file: LayoutBoxModelObject.cpp, crashed on: 169, modified: 169).

Suspected Project: chromium
Suspected Component: Blink>Layout

@wangxianzhu: Could you please look into the issue, and if it has nothing to do with your changes and if possible please do assign it to the concerned owner.

Thank you.
Project Member

Comment 2 by ClusterFuzz, May 12 2016 

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5160482612183040

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000098
Crash State:
  blink::PaintLayer::clearClipRectsCache
  blink::PaintLayerClipper::clearClipRectsIncludingDescendants
  blink::LayoutBoxModelObject::styleWillChange
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=392834:392865

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97thcfYoK7E4cVvXFnvqBRF6BxbBH9Ets4x64tm78dNx8oL4sBfrdqejpAoFoyOFT8q5Fl1z6yjerWL-eof1DoxXcT8wzfEDBhWecFdfVHrHpowf2-cFZ7ZPnPZu_UEtD9CUa7ZnyJscOvurDWMDrpeZl_SdHex940l8EGL051kWDS0wx8


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 3 by wangxianzhu@chromium.org, May 12 2016

Mergedinto: 611060
Status: Duplicate (was: Assigned)
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment