New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 641334 link

Starred by 2 users
Status: Fixed
Owner:
robhogan@chromium.org
Use other robhogan account instead.
Closed: Jun 2017
Cc:
szager@chromium.org
msten...@opera.com
robho...@gmail.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

!floatingObject->originatingLine()

Project Member Reported by ClusterFuzz, Aug 26 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6606610594267136

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !floatingObject->originatingLine()
  blink::LayoutBlockFlow::linkToEndLineIfNeeded
  blink::LayoutBlockFlow::layoutRunsAndFloats
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=268656:269696

Minimized Testcase (0.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95AB4nmROI3WeFD8XDClkp6qOqamTGjfT2XszoDgL4Or2mJQsitKxuaK7JtTwPlLrZgDvzfm3kINJCUE189Q-EXeRrG3q22y2wrsjIwxSpGA8f5xphHEtVAfK0EB-VqJ34mci_hkoCuvGh6i90vuvpkzMjAZA?testcase_id=6606610594267136

Issue manually filed by: durga.behera

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by durga.behera@chromium.org, Aug 26 2016

Components: Tools>Test>FindIt>WrongResult Blink>Layout
Labels: Te-Logged M-52
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Untriaged)
Suspected CLs
=============
No CL in the regression range changes the crashed files. The result is the blame information.

Author: eseidel@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/d8e702cefdfddf39caffef9701ec9dfeb4891811
Time: Mon Aug 12 23:34:58 2013
The CL last changed line 1062 of file LayoutBlockFlowLine.cpp, which is stack frame 0.

Author: commit-queue@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/031f9b4268352b13afc712da792a85d8120115b9
Time: Tue Aug 02 18:07:32 2011
The CL last changed line 777 of file LayoutBlockFlowLine.cpp, which is stack frame 1.

Author: leviw@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/b40f5755401fe50b434912aa7400d61b6cbbdb9f
Time: Sat Jan 25 00:19:25 2014
The CL last changed line 1619 of file LayoutBlockFlowLine.cpp, which is stack frame 2.

Author: wangxianzhu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/0e20bd123062a6bc463391c8970b24936983c466
Time: Mon Jun 27 21:36:08 2016
The CL last changed line 483 of file LayoutBlockFlow.cpp, which is stack frame 3.

Author: adam.treat@samsung.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/b0b9683a28d52b9f7abfa63c0d341fd7d488856e
Time: Thu Jan 30 02:10:43 2014
The CL last changed line 403 of file LayoutBlockFlow.cpp, which is stack frame 4.

Author: hyatt
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/d7dafcfaea34d563b00b5149b94575261464b857
Time: Tue Apr 29 23:32:54 2003
The CL last changed line 375 of file LayoutBlock.cpp, which is stack frame 5.

Author: mstensho@opera.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/bbdbf9ffa99ba94466aa14a698a7b0ccbf05eaff
Time: Mon Sep 07 09:07:52 2015
The CL last changed line 671 of file LayoutBlockFlow.cpp, which is stack frame 6.

================================
Suspected Project: chromium-blink
Suspected Component: Blink>Layout
Its impacting to Stable (52.0.2743.116).

Possible suspect from code search on the crashed file "LayoutBlockFlowLine.cpp" based on recent change made to it.
Suspect : https://codereview.chromium.org/2261663002
wangxianzhu@ : Could you please take a look into this if its related to your change.

Comment 2 by wangxianzhu@chromium.org, Aug 26 2016

Owner: ----
Status: Available (was: Assigned)
Leaving to layout team

Comment 3 by e...@chromium.org, Aug 26 2016

Cc: robho...@gmail.com szager@chromium.org
Labels: -Pri-1 Pri-2

Comment 4 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>WrongResult
Labels: Test-Predator-Wrong

Comment 5 by robho...@gmail.com, Nov 2 2016

Owner: robhogan@chromium.org
Status: Assigned (was: Available)
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by ClusterFuzz, Dec 22 2016

Status: WontFix (was: Assigned)
ClusterFuzz testcase 6606610594267136 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 8 by robhogan@chromium.org, Dec 23 2016

Status: Started (was: WontFix)
I can still reproduce this.

Comment 9 by robho...@gmail.com, Mar 16 2017

Cc: msten...@opera.com
 Issue 700693  has been merged into this issue.
Project Member

Comment 10 by bugdroid1@chromium.org, Mar 23 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/068a38e0f20762a3f218a88aba3290ad83d6e255

commit 068a38e0f20762a3f218a88aba3290ad83d6e255
Author: robhogan <robhogan@gmail.com>
Date: Thu Mar 23 12:05:58 2017

Ensure line-break is on correct object if trailing collapsed whitespace pushes us over line-end

If we're going to break on an auto-wrap line due to trailing space make sure
the line break has been moved to the next available next layout object on the line.

BUG= 641334 

Review-Url: https://codereview.chromium.org/2479333002
Cr-Commit-Position: refs/heads/master@{#459052}

[modify] https://crrev.com/068a38e0f20762a3f218a88aba3290ad83d6e255/third_party/WebKit/LayoutTests/TestExpectations
[add] https://crrev.com/068a38e0f20762a3f218a88aba3290ad83d6e255/third_party/WebKit/LayoutTests/fast/block/float/assert-when-moving-float-expected.txt
[add] https://crrev.com/068a38e0f20762a3f218a88aba3290ad83d6e255/third_party/WebKit/LayoutTests/fast/block/float/assert-when-moving-float.html
[modify] https://crrev.com/068a38e0f20762a3f218a88aba3290ad83d6e255/third_party/WebKit/Source/core/layout/line/BreakingContextInlineHeaders.h

Comment 11 by robhogan@chromium.org, Jun 15 2017

Status: Fixed (was: Started)
Project Member

Comment 12 by ClusterFuzz, Jul 14 2017

Labels: Needs-Feedback
ClusterFuzz testcase 5257108166803456 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

Sign in to add a comment