Author: robhogan
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/67818d55a1b15b97a96b7a74814e822024b0a346
Time: Mon Jul 25 19:53:06 2016
File LayoutBlockFlow.cpp is changed in this cl (and is part of stack frame #1, "blink::LayoutBlockFlow::removeChild")
Minimum distance from crash line to modified line: 10. (file: LayoutBlockFlow.cpp, crashed on: 2451, modified: 2441).

Suspected Project: chromium
Suspected Component: Blink>Layout

kojii: this looks like another orthogonal writing mode root one. Can you take a look?

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Thank you robhogan, double-layout from scrollbar again, looks like the previous fix was not complete.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/146cecaf22dca2a82fa102c46441af6bd79dffa0

commit 146cecaf22dca2a82fa102c46441af6bd79dffa0
Author: kojii <kojii@chromium.org>
Date: Wed Aug 31 17:39:01 2016

Fix removeChildNode to unmark orthogonal writing mode roots when !notifyLayoutObject

removeChildNode() does not notify willBeRemovedFromTree() when
!notifyLayoutObject. This can leave orthogonal writing mode roots
marked after the removal of the child.

This patch unmarks them even when !notifyLayoutObject.

This fixes annonymous boxes left marked in fullscreen. It is still
correct for LayoutFullscreen to have the same writing-mode as parent,
but DCHECK was removed because it doesn't leave boxes unmarked any
longer, and ensuring that against dynamic changes requires more work.

BUG= 642028 

Review-Url: https://codereview.chromium.org/2296973003
Cr-Commit-Position: refs/heads/master@{#415675}

[modify] https://crrev.com/146cecaf22dca2a82fa102c46441af6bd79dffa0/third_party/WebKit/Source/core/frame/FrameView.cpp
[modify] https://crrev.com/146cecaf22dca2a82fa102c46441af6bd79dffa0/third_party/WebKit/Source/core/layout/LayoutObjectChildList.cpp

ClusterFuzz has detected this issue as fixed in range 415621:415737.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5588676535123968

Fuzzer: inferno_twister
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  void WTF::copyToVector<WTF::HashSet<blink::LayoutObject*, WTF::PtrHash<blink::La
  blink::DepthOrderedLayoutObjectList::ordered
  blink::FrameView::layoutOrthogonalWritingModeRoots
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=407480:407711
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=415621:415737

Minimized Testcase (1.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97QYPT-X8ybO6FaH-5yX9zgNUBycJQqWKLx4wd1oMJZdOddwPTvix9gFQSnQuWzQZ4BUczcNMFeiqmeoejlHmni5Lezb5DKdraH0E5PRR-8wIPR68SBm6H_E47e0bMWyNTR9eaK6jHLonDqhTPOhXgjNEQvMA?testcase_id=5588676535123968

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Your change meets the bar and is auto-approved for M54 (branch: 2840)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/39e06039f343ece335a0eaf610d2ce577f110a6c

commit 39e06039f343ece335a0eaf610d2ce577f110a6c
Author: Koji Ishii <kojii@chromium.org>
Date: Fri Sep 02 05:00:11 2016

Merge 2840: Fix removeChildNode to unmark orthogonal writing mode roots when !notifyLayoutObject

removeChildNode() does not notify willBeRemovedFromTree() when
!notifyLayoutObject. This can leave orthogonal writing mode roots
marked after the removal of the child.

This patch unmarks them even when !notifyLayoutObject.

This fixes annonymous boxes left marked in fullscreen. It is still
correct for LayoutFullscreen to have the same writing-mode as parent,
but DCHECK was removed because it doesn't leave boxes unmarked any
longer, and ensuring that against dynamic changes requires more work.

BUG= 642028 

Review-Url: https://codereview.chromium.org/2296973003
Cr-Commit-Position: refs/heads/master@{#415675}
(cherry picked from commit 146cecaf22dca2a82fa102c46441af6bd79dffa0)

Review URL: https://codereview.chromium.org/2304833002 .

Cr-Commit-Position: refs/branch-heads/2840@{#119}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/39e06039f343ece335a0eaf610d2ce577f110a6c/third_party/WebKit/Source/core/frame/FrameView.cpp
[modify] https://crrev.com/39e06039f343ece335a0eaf610d2ce577f110a6c/third_party/WebKit/Source/core/layout/LayoutObjectChildList.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/39e06039f343ece335a0eaf610d2ce577f110a6c

commit 39e06039f343ece335a0eaf610d2ce577f110a6c
Author: Koji Ishii <kojii@chromium.org>
Date: Fri Sep 02 05:00:11 2016

Merge 2840: Fix removeChildNode to unmark orthogonal writing mode roots when !notifyLayoutObject

removeChildNode() does not notify willBeRemovedFromTree() when
!notifyLayoutObject. This can leave orthogonal writing mode roots
marked after the removal of the child.

This patch unmarks them even when !notifyLayoutObject.

This fixes annonymous boxes left marked in fullscreen. It is still
correct for LayoutFullscreen to have the same writing-mode as parent,
but DCHECK was removed because it doesn't leave boxes unmarked any
longer, and ensuring that against dynamic changes requires more work.

BUG= 642028 

Review-Url: https://codereview.chromium.org/2296973003
Cr-Commit-Position: refs/heads/master@{#415675}
(cherry picked from commit 146cecaf22dca2a82fa102c46441af6bd79dffa0)

Review URL: https://codereview.chromium.org/2304833002 .

Cr-Commit-Position: refs/branch-heads/2840@{#119}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/39e06039f343ece335a0eaf610d2ce577f110a6c/third_party/WebKit/Source/core/frame/FrameView.cpp
[modify] https://crrev.com/39e06039f343ece335a0eaf610d2ce577f110a6c/third_party/WebKit/Source/core/layout/LayoutObjectChildList.cpp

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot