Under invalidation of LayoutMultiColumnSet when column count changes |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5253495349575680 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: client.isAlive() in PaintController.cpp blink::PaintController::clientCacheIsValid blink::PaintController::displayItemListAsDebugString Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=398017:398731 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv962tK1jOXA02TDe0-48ts3gvalcWKz_N9MpnIgzjL38x6AEltPt3Am4iVXgeE6OKEuMqOFb2Oz7mrVHo686MpdlWkkdCSsqXOCaaFpboKM299bI5fLPRbYIE43tzsjUhlxARiftVQpoB1nNML6ERuPm6aOrPKMNyao7dmPuWGTW_8q2SZE?testcase_id=5253495349575680 Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 5 2016
,
Aug 5 2016
The under-invalidation happens when the column changes from 1 column (no ruler needed) to 2 columns (ruler needed).
,
Aug 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/baeec3a894965c1c649f1b36035b285e240bd0c0 commit baeec3a894965c1c649f1b36035b285e240bd0c0 Author: wangxianzhu <wangxianzhu@chromium.org> Date: Sat Aug 13 00:37:39 2016 Fix column rule under invalidation MultiColumnSetPainter paints column rules based on style and layout data of its parent. Thus when a multi-column container LayoutBlockFlow needs paint invalidation it should also invalidate the child LayoutMultiColumnSets. BUG= 635034 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Review-Url: https://codereview.chromium.org/2240753003 Cr-Commit-Position: refs/heads/master@{#411833} [add] https://crrev.com/baeec3a894965c1c649f1b36035b285e240bd0c0/third_party/WebKit/LayoutTests/paint/invalidation/column-rule-change-expected.html [add] https://crrev.com/baeec3a894965c1c649f1b36035b285e240bd0c0/third_party/WebKit/LayoutTests/paint/invalidation/column-rule-change.html [modify] https://crrev.com/baeec3a894965c1c649f1b36035b285e240bd0c0/third_party/WebKit/Source/core/paint/BlockFlowPaintInvalidator.cpp
,
Aug 13 2016
,
Aug 27 2016
ClusterFuzz has detected this issue as fixed in range 414808:414879. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5253495349575680 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: client.isAlive() in PaintController.cpp blink::PaintController::clientCacheIsValid blink::PaintController::displayItemListAsDebugString Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=398017:398731 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=414808:414879 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv962tK1jOXA02TDe0-48ts3gvalcWKz_N9MpnIgzjL38x6AEltPt3Am4iVXgeE6OKEuMqOFb2Oz7mrVHo686MpdlWkkdCSsqXOCaaFpboKM299bI5fLPRbYIE43tzsjUhlxARiftVQpoB1nNML6ERuPm6aOrPKMNyao7dmPuWGTW_8q2SZE?testcase_id=5253495349575680 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 29 2016
As per update#5 and #6, closing the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mummare...@chromium.org
, Aug 5 2016Owner: wangxianzhu@chromium.org
Status: Assigned (was: Untriaged)