Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/7928011b29316b85632b2b16f276382ae857c583
Time: Thu Sep 15 12:03:59 2016
Lines 160 of file LayoutFlowThread.cpp which potentially caused crash are changed in this cl (frame #1, "blink::LayoutFlowThread::pageRemainingLogicalHeightForOffset").
Minimum distance from crash line to modified line: 0. (file: LayoutFlowThread.cpp, crashed on: 160, modified: 160).

Suspected Project: chromium
Suspected Component: Blink>Layout

I have a CL in the works for this one. That fixes the original assertion failure, but there turned out to be another assertion failure hiding behind it, which this CL isn't going to fix, so I'll make another one for that failure once this first CL lands.

ASSERTION FAILED: logicalBottomInFlowThread >= m_logicalTopInFlowThread
../../third_party/WebKit/Source/core/layout/MultiColumnFragmentainerGroup.h(57) : void blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread(blink::LayoutUnit)
1   0x7f1dca5d33ae
2   0x7f1dca5d2560 blink::LayoutMultiColumnSet::endFlow(blink::LayoutUnit)
3   0x7f1dca5cf3ad blink::LayoutMultiColumnFlowThread::layout()
4   0x7f1dca5ccf52 blink::LayoutMultiColumnFlowThread::layoutColumns(blink::SubtreeLayoutScope&)
5   0x7f1dca4feb66 blink::LayoutBlockFlow::layoutSpecialExcludedChild(bool, blink::SubtreeLayoutScope&)
6   0x7f1dca505342 blink::LayoutBlockFlow::layoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit)
7   0x7f1dca510ecb
8   0x7f1dca4ffc43 blink::LayoutBlockFlow::layoutBlock(bool)
9   0x7f1dca4eb48f blink::LayoutBlock::layout()
10  0x7f1dca5009f0 blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&)
11  0x7f1dca500d90 blink::LayoutBlockFlow::layoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&)
12  0x7f1dca505720 blink::LayoutBlockFlow::layoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit)
13  0x7f1dca510ecb
14  0x7f1dca4ffc43 blink::LayoutBlockFlow::layoutBlock(bool)
15  0x7f1dca4eb48f blink::LayoutBlock::layout()
16  0x7f1dca582061 blink::LayoutFlowThread::layout()
17  0x7f1dca5cf266 blink::LayoutMultiColumnFlowThread::layout()

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4815614999003136

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset
  blink::LayoutFlowThread::pageRemainingLogicalHeightForOffset
  blink::LayoutBox::pageRemainingLogicalHeightForOffset
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=418836:418843

Minimized Testcase (0.26 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv942bIT9jf6UDQhHBejZxL0Idxu02hdROBT8LZqv8EhZIz1HDLWFSe4woty0pt3m8v6IEMTgEGbWAG2_jZUqNyZE0hEVXqoeieVyzVe0su4TMZBC2tqgJZoHNgI0WCpwOj_SMz5bW9SNtvL2X4DXoQZittsM-A?testcase_id=4815614999003136
<style>
*{-webkit-appearance:inherit;-webkit-column-break-before:always;}
.CLASS6{-webkit-column-count:1;}
*:valid{bleed:484.821ch;-webkit-column-span:all;</style>
<object>
<form class="CLASS4"</textarea>
</object>
<body class="CLASS6 CLASS9">
<table>
<caption>
>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Regarding my previous comment: I've still split the fix into two CLs, one for each of the assertion failures, but the solution I ended up with was quite different from what I initially had imagined. The two CLs no longer depend on each other, so they can be reviewed and landed in parallel.

https://codereview.chromium.org/2356183002/
https://codereview.chromium.org/2359733002/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4545acb6ba2bd97d53d4641b90ee1d96fb53f98d

commit 4545acb6ba2bd97d53d4641b90ee1d96fb53f98d
Author: mstensho <mstensho@opera.com>
Date: Wed Sep 21 13:48:56 2016

Need to consider the need for a soft break even when inserting a forced break.

A forced break will just take us to the next fragmentainer. However, the next
fragmentainer may not be tall enough to fit any part of the block we're laying
out, which means that we may have to skip to a fragmentainer further ahead -
one that is tall enough. This situation may arise in nested multicol, because
then we may get inner fragmentainers of variable height.

Another reason why we need this is that a forced break on an object is inserted
before we apply clearance. After we have applied clearance, we may have ended
up at a position where there's not enough space left to fit any part of the
block we're laying out. So, again, we may need to skip to the next
fragmentainer.

BUG= 647475 

Review-Url: https://codereview.chromium.org/2359733002
Cr-Commit-Position: refs/heads/master@{#420041}

[add] https://crrev.com/4545acb6ba2bd97d53d4641b90ee1d96fb53f98d/third_party/WebKit/LayoutTests/fast/multicol/forced-break-too-short-column-expected.html
[add] https://crrev.com/4545acb6ba2bd97d53d4641b90ee1d96fb53f98d/third_party/WebKit/LayoutTests/fast/multicol/forced-break-too-short-column.html
[add] https://crrev.com/4545acb6ba2bd97d53d4641b90ee1d96fb53f98d/third_party/WebKit/LayoutTests/fragmentation/forced-break-clearance-unsplittable-content-expected.html
[add] https://crrev.com/4545acb6ba2bd97d53d4641b90ee1d96fb53f98d/third_party/WebKit/LayoutTests/fragmentation/forced-break-clearance-unsplittable-content.html
[modify] https://crrev.com/4545acb6ba2bd97d53d4641b90ee1d96fb53f98d/third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp
[modify] https://crrev.com/4545acb6ba2bd97d53d4641b90ee1d96fb53f98d/third_party/WebKit/Source/core/layout/LayoutBlockFlow.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/97ed9c5f12b724ba8db5ec1e60dd1a92cde5d05c

commit 97ed9c5f12b724ba8db5ec1e60dd1a92cde5d05c
Author: mstensho <mstensho@opera.com>
Date: Wed Sep 21 16:07:48 2016

Stay put at the top of the current page when inserting a forced break.

If we attempt to insert a forced break, and we're already at the top of a page
or column, we should stay right there, instead of leaving an entire page or
column blank. We used to ensure this by calling nextPageLogicalTop() with
AssociateWithFormerPage.

But it was broken, because AssociateWithFormerPage could take us to a column
set preceding a column spanner that we had actually moved past. This would
confuse various parts of the machinery, and could, among other things, find
unused space in the last column preceding a spanner, and use this as a
pagination strut on an object *following* the spanner.

Remove PageBoundaryRule from nextPageLogicalTop(), and let the forced break
insertion code handle this on its own instead, and do it correctly, without
looking back at preceding columns.

BUG= 647475 

Review-Url: https://codereview.chromium.org/2356183002
Cr-Commit-Position: refs/heads/master@{#420072}

[add] https://crrev.com/97ed9c5f12b724ba8db5ec1e60dd1a92cde5d05c/third_party/WebKit/LayoutTests/fast/multicol/break-after-empty-set-crash.html
[add] https://crrev.com/97ed9c5f12b724ba8db5ec1e60dd1a92cde5d05c/third_party/WebKit/LayoutTests/fast/multicol/forced-break-after-block-with-spanner-expected.html
[add] https://crrev.com/97ed9c5f12b724ba8db5ec1e60dd1a92cde5d05c/third_party/WebKit/LayoutTests/fast/multicol/forced-break-after-block-with-spanner.html
[add] https://crrev.com/97ed9c5f12b724ba8db5ec1e60dd1a92cde5d05c/third_party/WebKit/LayoutTests/fast/multicol/forced-break-after-empty-block-after-spanner-expected.html
[add] https://crrev.com/97ed9c5f12b724ba8db5ec1e60dd1a92cde5d05c/third_party/WebKit/LayoutTests/fast/multicol/forced-break-after-empty-block-after-spanner.html
[add] https://crrev.com/97ed9c5f12b724ba8db5ec1e60dd1a92cde5d05c/third_party/WebKit/LayoutTests/fast/multicol/forced-break-after-last-block-before-spanner-expected.html
[add] https://crrev.com/97ed9c5f12b724ba8db5ec1e60dd1a92cde5d05c/third_party/WebKit/LayoutTests/fast/multicol/forced-break-after-last-block-before-spanner.html
[modify] https://crrev.com/97ed9c5f12b724ba8db5ec1e60dd1a92cde5d05c/third_party/WebKit/Source/core/layout/LayoutBlock.cpp
[modify] https://crrev.com/97ed9c5f12b724ba8db5ec1e60dd1a92cde5d05c/third_party/WebKit/Source/core/layout/LayoutBlock.h
[modify] https://crrev.com/97ed9c5f12b724ba8db5ec1e60dd1a92cde5d05c/third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp

ClusterFuzz has detected this issue as fixed in range 420048:420163.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4815614999003136

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset
  blink::LayoutFlowThread::pageRemainingLogicalHeightForOffset
  blink::LayoutBox::pageRemainingLogicalHeightForOffset
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=418836:418843
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=420048:420163

Minimized Testcase (0.26 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv942bIT9jf6UDQhHBejZxL0Idxu02hdROBT8LZqv8EhZIz1HDLWFSe4woty0pt3m8v6IEMTgEGbWAG2_jZUqNyZE0hEVXqoeieVyzVe0su4TMZBC2tqgJZoHNgI0WCpwOj_SMz5bW9SNtvL2X4DXoQZittsM-A?testcase_id=4815614999003136
<style>
*{-webkit-appearance:inherit;-webkit-column-break-before:always;}
.CLASS6{-webkit-column-count:1;}
*:valid{bleed:484.821ch;-webkit-column-span:all;</style>
<object>
<form class="CLASS4"</textarea>
</object>
<body class="CLASS6 CLASS9">
<table>
<caption>
>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 420048:420163.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5012319300222976

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset
  blink::LayoutBlock::nextPageLogicalTop
  blink::LayoutBlockFlow::estimateLogicalTopPosition
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=418815:418843
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=420048:420163

Minimized Testcase (0.20 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94mv9TwlAbTcsSd0nNJ5-bdCV7g-h1l7i92abnrdfTPoo5kMj4QC69b-YLcxMqE_SbjWz3ad56xZvfD23eQCI8f5RFhyQoDhg80Vvi5hPj6kibYTYeO_Xv_wmRrsrRqiP866zWKxdM8Df9x6vXX3cIoBtLQ_A?testcase_id=5012319300222976
<style>
*{line-stacking-ruby:exclude-ruby;break-after:column;-webkit-column-count:16384;}
.CLASS10{windows:inherit;-webkit-column-span:all;</style>
<div>
</div>
<table class="CLASS10 CLASS4">
</table>
>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot