m_phase == LayoutPoint(roundedIntPoint(m_phase)) in BackgroundImageGeometry.cpp |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5050727814922240 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: m_phase == LayoutPoint(roundedIntPoint(m_phase)) in BackgroundImageGeometry.cpp blink::BackgroundImageGeometry::calculate blink::LayoutBox::getBackgroundPaintedExtent Minimized Testcase (8.75 Kb): https://cluster-fuzz.appspot.com/download/AMIfv951NSsDrV_ephrsiEI_y2BzgKahPZvEIhZt8fwSdwr6ioQPIYI91TCm59zKUzkd7LekBn1xXkIAdpQKQd5sWurkq4jIgrFRqf3URSBTiVOU9VECYTVKUk4HNbNnkwvGKsUjQT4u9KOX4kP3Ov36OKm1bt0KTQ?testcase_id=5050727814922240 Additional requirements: Requires HTTP Filer: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 8 2016
Through codesearch on file BackgroundImageGeometry.cpp, latest changes done by schenney@. could you please take a look. Thank you
,
Jul 8 2016
What do we do about asserts that fail due to ridiculously large values exceeding representable limits? As far as I am concerned it's fine to assert in such cases when they do not have security implications. I want to mark this WontFix. Otherwise I can complicate the assert if necessary. i.e. m_phase == LayoutPoint(roundedIntPoint(m_phase)) || m_phase.x() == LayoutUnit::max() || m_phase.y == LayoutUnit::max() || m_phase.x == LayoutUnit::min() || m_phase.y == LayoutUniy.min()
,
Jul 20 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6557971819790336 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: m_phase == LayoutPoint(roundedIntPoint(m_phase)) in BackgroundImageGeometry.cpp blink::BackgroundImageGeometry::calculate blink::paintFastBottomLayer Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=403457:403667 Minimized Testcase (2.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97rPBlrtJYY374pPFGFO8nD1w_yJFuUNtG1VTv7hxuvuQfzRTRnTBf4SU8C5PmYMHtulCX2481eQcERafmJsccyKMHQypBamzc7XRV5T9z5m3hLP3SjnEMIifSzEyePy4ux5og1elcUV6RsZWhqTL0YjL0hrw?testcase_id=6557971819790336 Additional requirements: Requires HTTP Filer: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/96fad00d9606b2bdd89e3477387bad1d6bd8ba87 commit 96fad00d9606b2bdd89e3477387bad1d6bd8ba87 Author: schenney <schenney@chromium.org> Date: Fri Jul 22 20:48:51 2016 Remove a pointless assert that fails with overflowed values It turns out that roundedIntPoint(LayoutUnit::max()) != LayoutUNit::max() so disable the assert in BackgroundImageGeometry that is really just checking that we have pixel snapped the phase. We don't check any other values for pixel snapping, so there's no reason to keep checking phase. And there's no danger to having an unrounded value here. Nothing breaks. R=fmalita@chromium.org BUG= 626745 Review-Url: https://codereview.chromium.org/2180433002 Cr-Commit-Position: refs/heads/master@{#407255} [modify] https://crrev.com/96fad00d9606b2bdd89e3477387bad1d6bd8ba87/third_party/WebKit/Source/core/paint/BackgroundImageGeometry.cpp
,
Jul 22 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Jul 8 2016