Issue metadata
Sign in to add a comment
|
Assertion failed: !object || (object->isBox()) |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4617959052148736 Fuzzer: bj_broddelwerk Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: !object || (object->isBox()) blink::ThemePainterDefault::setupMenuListArrow blink::ThemePainterDefault::paintMenuList Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=419848:419971 Minimized Testcase (0.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94qUM-6OMNl1oZjHskl1cgcbOca6eYQzFB6E_bdc1JfPeCBQSJPA2QE3t9Ms2NeEQhs7KCUKLmEtLFl4iWy7JPEstjBPXLN19Q9tJKeQ6flkdAMIrvaZkXww3Xe7-q5Vfc9HiEE82jCkQ72jqazmkLwkSlmnQ?testcase_id=4617959052148736 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 22 2016
,
Sep 22 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 22 2016
,
Sep 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/63903481bbfd5173416a223bf160fc106f62d1b7 commit 63903481bbfd5173416a223bf160fc106f62d1b7 Author: malaykeshav <malaykeshav@chromium.org> Date: Thu Sep 22 23:08:20 2016 Security fix while computing dropdown menu arrow width There is no clean way to set the size for the dropdown menu arrow dynamically without causing security bugs. Since this is only for tests, using a fixed width works with _most_ of the test cases while the rest have minor changes that are acceptable for layout tests. Context: https://codereview.chromium.org/2340633002 BUG= 649095 , 649056 , 649058 , 649132 , 640256 COMPONENT=ThemePainterDefault, Menu List Arrow CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Review-Url: https://codereview.chromium.org/2359753003 Cr-Commit-Position: refs/heads/master@{#420492} [modify] https://crrev.com/63903481bbfd5173416a223bf160fc106f62d1b7/third_party/WebKit/LayoutTests/TestExpectations [modify] https://crrev.com/63903481bbfd5173416a223bf160fc106f62d1b7/third_party/WebKit/Source/core/paint/ThemePainterDefault.cpp
,
Sep 23 2016
,
Sep 23 2016
ClusterFuzz has detected this issue as fixed in range 420372:420502. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4617959052148736 Fuzzer: bj_broddelwerk Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: !object || (object->isBox()) blink::ThemePainterDefault::setupMenuListArrow blink::ThemePainterDefault::paintMenuList Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=419848:419971 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=420372:420502 Minimized Testcase (0.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94qUM-6OMNl1oZjHskl1cgcbOca6eYQzFB6E_bdc1JfPeCBQSJPA2QE3t9Ms2NeEQhs7KCUKLmEtLFl4iWy7JPEstjBPXLN19Q9tJKeQ6flkdAMIrvaZkXww3Xe7-q5Vfc9HiEE82jCkQ72jqazmkLwkSlmnQ?testcase_id=4617959052148736 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 23 2016
,
Oct 25 2016
,
Dec 30 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Sep 21 2016Owner: malaykeshav@chromium.org
Status: Assigned (was: Untriaged)
Summary: Assertion failed: !object || (object->isBox()) (was: !object || (object->isBox()))