Issue 616993 link

Starred by 0 users

Issue metadata

Status:	Fixed
Owner:	fmalita@chromium.org
Closed:	Jun 2016
Cc:	f...@opera.com fmalita@chromium.org infe...@chromium.org █ ashej...@chromium.org ajha@google.com style-bugs@google.com
Components:	Blink>CSS
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug-Regression
Te-Logged Stability-Crash Reproducible Stability-Memory-AddressSanitizer Clusterfuzz

ASSERTION FAILED: adjustedR0 <= adjustedR1

Project Member Reported by ClusterFuzz, Jun 3 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6079343654862848

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: adjustedR0 <= adjustedR1
  blink::adjustGradientRadiiForOffsetRange
  blink::CSSGradientValue::addStops
  

Minimized Testcase (0.18 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94awMf6-_a2GAKKfR96ClpuIHbqgrkuDGWRRuBjg4LXP4F8oKUA1uukcdObq4ejqc-9TnX2sqQ9X5fm5PKuO_43IJkn7jiVjnuV7tY709LyswTzgBnHfmUlPrf0ybhu6sJzKhKuAkT3ffStzcSxw0gO3DOLyg

Filer: ajha

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ajha@chromium.org, Jun 3 2016

Components: Blink>CSS Tools>Test>FindIt>CorrectResult
Labels: -Type-Bug Te-Logged Type-Bug-Regression
Owner: fmalita@chromium.org
Status: Assigned (was: Available)

Suspected CLs	Regression information is not available. The result is the blame information.

Author: fmalita@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8d740ea7e1829561233466f984b04b85a10c917d
Time: Wed Feb 25 03:54:05 2015
The CL last changed line 327 of file CSSGradientValue.cpp, which is stack frame 0.

Author: fmalita@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8d740ea7e1829561233466f984b04b85a10c917d
Time: Wed Feb 25 03:54:05 2015
The CL last changed line 471 of file CSSGradientValue.cpp, which is stack frame 1.

Author: fmalita@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8d740ea7e1829561233466f984b04b85a10c917d
Time: Wed Feb 25 03:54:05 2015
The CL last changed line 1164 of file CSSGradientValue.cpp, which is stack frame 2.

Author: schenney
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4afb23eb3dfc2fb9006ce3b69051cc108c241ba5
Time: Tue Mar 15 23:33:47 2016
The CL last changed line 78 of file CSSGradientValue.cpp, which is stack frame 3.

Author: dsinclair@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/da406c2427ae4c64f0b5cc12e69a3125dd4c2717
Time: Mon Apr 27 20:42:41 2015
The CL last changed line 131 of file CSSImageGeneratorValue.cpp, which is stack frame 4.

Author: dsinclair@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4c40fce76c29acc6e722d6bf48b2c3d761f7cce0
Time: Fri Mar 06 04:41:42 2015
The CL last changed line 73 of file StyleGeneratedImage.cpp, which is stack frame 5.

Author: fmalita
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4c1400381d16b6dcd8921a8f19a2ae9af4aac4cf
Time: Tue May 24 00:53:09 2016
The CL last changed line 351 of file BoxPainter.cpp, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>CSS

From the above FindIt result, this looks to be related to change in stack frame 6 by fmalita.

fmalita@: Could you please take a look at this.

Thank you!

Comment 2 by fmalita@chromium.org, Jun 5 2016

Cc: f...@opera.com

Project Member

Comment 3 by bugdroid1@chromium.org, Jun 6 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/08e2d2a00072b39e91bfb3d8665c06fa0cc55f68

commit 08e2d2a00072b39e91bfb3d8665c06fa0cc55f68
Author: fmalita <fmalita@chromium.org>
Date: Mon Jun 06 15:17:17 2016

Clamp radial gradient end radii

Ensure that the end radius stays within finite float range, to
avoid degenerate cases down the line.

BUG= 616993 
R=fs@opera.com

Review-Url: https://codereview.chromium.org/2041653002
Cr-Commit-Position: refs/heads/master@{#398029}

[add] https://crrev.com/08e2d2a00072b39e91bfb3d8665c06fa0cc55f68/third_party/WebKit/LayoutTests/fast/gradients/radial-clamping-expected.txt
[add] https://crrev.com/08e2d2a00072b39e91bfb3d8665c06fa0cc55f68/third_party/WebKit/LayoutTests/fast/gradients/radial-clamping.html
[modify] https://crrev.com/08e2d2a00072b39e91bfb3d8665c06fa0cc55f68/third_party/WebKit/Source/core/css/CSSGradientValue.cpp

Comment 4 by fmalita@chromium.org, Jun 6 2016

Status: Fixed (was: Assigned)

Comment 5 by fmalita@chromium.org, Jun 9 2016

Cc: infe...@chromium.org ashej...@chromium.org fmalita@chromium.org

 Issue 617918  has been merged into this issue.

Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 616993 link

Issue metadata

ASSERTION FAILED: adjustedR0 <= adjustedR1

Issue description

Comment 1 by ajha@chromium.org, Jun 3 2016

Comment 1 Deleted

Comment 2 by fmalita@chromium.org, Jun 5 2016

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Jun 6 2016

Comment 3 Deleted

Comment 4 by fmalita@chromium.org, Jun 6 2016

Comment 4 Deleted

Comment 5 by fmalita@chromium.org, Jun 9 2016

Comment 5 Deleted

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Comment 6 Deleted

Sign in to add a comment