No CL in the regression range changes the crashed files. The result is the blame information.

Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/fe283ea1ad33abe251cbb4a921f7f836085bab82
Time: Fri Mar 11 14:19:18 2016
The CL last changed line 704 of file LayoutBlockFlow.cpp, which is stack frame 4.


Suspected Project: chromium
Suspected Component: Blink>Layout
=================================
mstensho@: Could you please look into this issue if it is related to your change, else please help us in assigning it to the right owner.

Thanks!

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4930644402765824

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::TableLayoutAlgorithmAuto::layout
  blink::LayoutTable::layout
  blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.16 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv9474VZyTW6VIzjUtYiWMSqMnThRGq_rIEgCi4pzwYwH9xSOJ3ygZIGsfdkVFtTOiwMG7SBp5IZjH4KrSBfmvO0CD-XNF2R4HnNCu8ZkWVIJyLuCs1ImrEHUgLujVD0zMlWqCjjtFZZ3Eh26bHU-2NQmdUE2Tg?testcase_id=4930644402765824
<table>
 <colgroup><td><style>
@keyframes cfpulse1 { 0% { opacity: 0.9272;  } 
 100% { opacity: 0.479;  } }
* { animation-name: cfpulse62; width: calc(32679 * 101%);


Issue manually filed by: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Maybe use LayoutUnit or some floating point type instead, to avoid overflow?

@mstensho - no point in just fixing this specific instance though - we should swap out the use of int completely from TableLayoutAlgorithmAuto.cpp?

That would be great too, but I think this one is special:

            int reduce = available * minMaxDiff / logicalWidthBeyondMin;

It multiplies two potentially large ints, which seems rather unusual.

Looking into it further LayoutUnit isn't a great fit for positioning cells unless we want to introduce subpixel width and positioning. That will be fun.

So yeah, I think I'll just squash these overflows as they come up after all. :)

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue 676592  has been merged into this issue.

Detailed report: https://clusterfuzz.com/testcase?key=6613798105645056

Job Type: linux_ubsan_chrome
Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::TableLayoutAlgorithmAuto::UpdateLayout
  blink::LayoutTable::UpdateLayout
  blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6613798105645056


See https://github.com/google/clusterfuzz-tools for more information.

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

ClusterFuzz has detected this issue as fixed in range 551565:551568.

Detailed report: https://clusterfuzz.com/testcase?key=5131491806019584

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::TableLayoutAlgorithmAuto::shrinkColumnWidth
  blink::TableLayoutAlgorithmAuto::layout
  blink::LayoutTable::layout
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=551565:551568

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5131491806019584

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 551565:551568.

Detailed report: https://clusterfuzz.com/testcase?key=4930644402765824

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::TableLayoutAlgorithmAuto::UpdateLayout
  blink::LayoutTable::UpdateLayout
  blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=551565:551568

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4930644402765824

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 836643  has been merged into this issue.

ClusterFuzz testcase 6215738638204928 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.