interval.low() == m_layoutObject->logicalTopForFloat(floatingObject) |
|||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4941080965677056 Fuzzer: bj_broddelwerk Job Type: linux_debug_chrome Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: interval.low() == m_layoutObject->logicalTopForFloat(floatingObject) blink::ComputeFloatOffsetAdapter< void blink::PODIntervalTree<blink::LayoutUnit, blink::FloatingObject*>::searchFo Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=374754:374868 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95rKiF-Vqt8NezcJyTdKx4PsPIkPQR0kbpXeI2mDVRurQPQxH92YS2ya8Gs41UlSvmxDYtE8o5KEy0-c7PleggTrW5IFqYYsvf9strTGrOQG_M9TdQY4dcfsLrrQ9ZUiBqHDwYwsBxUDhKFtXdaf2rA5JpLl2Gw54Xvtmcb_hsqNvZgGVE?testcase_id=4941080965677056 Filer: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 1 2016
,
Aug 2 2016
This looks related to orthogonal writing mode roots, like bug 604095 .
,
Aug 3 2016
Looks like the same issue as issue 604095 which stopped reproducing after the fix for issue 613869 . I have a WIP here https://codereview.chromium.org/2025543002 but disagreements were seen in the review, and I won't have time to come up with different solutions in near term. Let me lower the priority, because this is assertion-failure-only, does not crash.
,
Aug 3 2016
,
Aug 5 2016
Moving this nonessential bug to the next milestone. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5c43382692e6b687373576984181e52c30ccd142 commit 5c43382692e6b687373576984181e52c30ccd142 Author: kojii <kojii@chromium.org> Date: Sat Sep 17 19:39:59 2016 Fix when orthogonal writing mode roots have floating siblings When orthogonal writing mode roots have floating siblings, its containing block may still have old or even deleted LayoutObjects. This occurs when LayoutMultiColumnFlowThread::populate(), LayoutBoxModelObject::moveChildrenTo() with !fullRemoveInsert, or more, for the optimization purposes. This patch clears such objects to be re-created when the containing block is laid out. BUG= 604095 , 633409 , 646178 Review-Url: https://codereview.chromium.org/2025543002 Cr-Commit-Position: refs/heads/master@{#419376} [add] https://crrev.com/5c43382692e6b687373576984181e52c30ccd142/third_party/WebKit/LayoutTests/fast/writing-mode/orthogonal-writing-modes-floats-crash-expected.txt [add] https://crrev.com/5c43382692e6b687373576984181e52c30ccd142/third_party/WebKit/LayoutTests/fast/writing-mode/orthogonal-writing-modes-floats-crash.html [modify] https://crrev.com/5c43382692e6b687373576984181e52c30ccd142/third_party/WebKit/Source/core/frame/FrameView.cpp
,
Sep 18 2016
ClusterFuzz has detected this issue as fixed in range 419371:419385. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4941080965677056 Fuzzer: bj_broddelwerk Job Type: linux_debug_chrome Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: interval.low() == m_layoutObject->logicalTopForFloat(floatingObject) blink::ComputeFloatOffsetAdapter< void blink::PODIntervalTree<blink::LayoutUnit, blink::FloatingObject*>::searchFo Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=374754:374868 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=419371:419385 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95rKiF-Vqt8NezcJyTdKx4PsPIkPQR0kbpXeI2mDVRurQPQxH92YS2ya8Gs41UlSvmxDYtE8o5KEy0-c7PleggTrW5IFqYYsvf9strTGrOQG_M9TdQY4dcfsLrrQ9ZUiBqHDwYwsBxUDhKFtXdaf2rA5JpLl2Gw54Xvtmcb_hsqNvZgGVE?testcase_id=4941080965677056 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 18 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f0a010e317a1043e7faf7160f6d2afb760d6f1f5 commit f0a010e317a1043e7faf7160f6d2afb760d6f1f5 Author: Koji Ishii <kojii@chromium.org> Date: Tue Sep 20 13:11:28 2016 Merge 2840: Fix when orthogonal writing mode roots have floating siblings When orthogonal writing mode roots have floating siblings, its containing block may still have old or even deleted LayoutObjects. This occurs when LayoutMultiColumnFlowThread::populate(), LayoutBoxModelObject::moveChildrenTo() with !fullRemoveInsert, or more, for the optimization purposes. This patch clears such objects to be re-created when the containing block is laid out. BUG= 604095 , 633409 , 646178 Review-Url: https://codereview.chromium.org/2025543002 Cr-Commit-Position: refs/heads/master@{#419376} (cherry picked from commit 5c43382692e6b687373576984181e52c30ccd142) Review URL: https://codereview.chromium.org/2355793002 . Cr-Commit-Position: refs/branch-heads/2840@{#436} Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607} [add] https://crrev.com/f0a010e317a1043e7faf7160f6d2afb760d6f1f5/third_party/WebKit/LayoutTests/fast/writing-mode/orthogonal-writing-modes-floats-crash-expected.txt [add] https://crrev.com/f0a010e317a1043e7faf7160f6d2afb760d6f1f5/third_party/WebKit/LayoutTests/fast/writing-mode/orthogonal-writing-modes-floats-crash.html [modify] https://crrev.com/f0a010e317a1043e7faf7160f6d2afb760d6f1f5/third_party/WebKit/Source/core/frame/FrameView.cpp
,
Oct 27 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f0a010e317a1043e7faf7160f6d2afb760d6f1f5 commit f0a010e317a1043e7faf7160f6d2afb760d6f1f5 Author: Koji Ishii <kojii@chromium.org> Date: Tue Sep 20 13:11:28 2016 Merge 2840: Fix when orthogonal writing mode roots have floating siblings When orthogonal writing mode roots have floating siblings, its containing block may still have old or even deleted LayoutObjects. This occurs when LayoutMultiColumnFlowThread::populate(), LayoutBoxModelObject::moveChildrenTo() with !fullRemoveInsert, or more, for the optimization purposes. This patch clears such objects to be re-created when the containing block is laid out. BUG= 604095 , 633409 , 646178 Review-Url: https://codereview.chromium.org/2025543002 Cr-Commit-Position: refs/heads/master@{#419376} (cherry picked from commit 5c43382692e6b687373576984181e52c30ccd142) Review URL: https://codereview.chromium.org/2355793002 . Cr-Commit-Position: refs/branch-heads/2840@{#436} Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607} [add] https://crrev.com/f0a010e317a1043e7faf7160f6d2afb760d6f1f5/third_party/WebKit/LayoutTests/fast/writing-mode/orthogonal-writing-modes-floats-crash-expected.txt [add] https://crrev.com/f0a010e317a1043e7faf7160f6d2afb760d6f1f5/third_party/WebKit/LayoutTests/fast/writing-mode/orthogonal-writing-modes-floats-crash.html [modify] https://crrev.com/f0a010e317a1043e7faf7160f6d2afb760d6f1f5/third_party/WebKit/Source/core/frame/FrameView.cpp
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by mummare...@chromium.org
, Aug 1 2016Owner: robhogan@chromium.org
Status: Assigned (was: Untriaged)