isTableCell() && parentBox() == container in LayoutBox.cpp |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4662992925097984 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: isTableCell() && parentBox() == container in LayoutBox.cpp blink::LayoutBox::mapToVisualRectInAncestorSpace blink::slowMapToVisualRectInAncestorSpace Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=404895:404947 Minimized Testcase (0.17 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96zzXrIDFCY2L3udms1xN-ARwyWZZW6kyoCPwi56sN6DXsC3CmYG3LRiDv9_Ew4OHU-c_kImvTYdO58fuHjr-3YSF3L4BgrLGdRmYBvmKln3FtJGRJ94h69fJW60dlonpG89UQ2gn5nkE4Q2a6cbmKV7YZT5Q?testcase_id=4662992925097984 <style> div { -webkit-box-reflect: below; </style> <div id="splitter""> <script> document.getElementById("splitter").style.display = "table-row"; </script> Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 28 2016
,
Sep 28 2016
ClusterFuzz has detected this issue as fixed in range 421240:421431. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4662992925097984 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: isTableCell() && parentBox() == container in LayoutBox.cpp blink::LayoutBox::mapToVisualRectInAncestorSpace blink::slowMapToVisualRectInAncestorSpace Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=404895:404947 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=421240:421431 Minimized Testcase (0.17 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96zzXrIDFCY2L3udms1xN-ARwyWZZW6kyoCPwi56sN6DXsC3CmYG3LRiDv9_Ew4OHU-c_kImvTYdO58fuHjr-3YSF3L4BgrLGdRmYBvmKln3FtJGRJ94h69fJW60dlonpG89UQ2gn5nkE4Q2a6cbmKV7YZT5Q?testcase_id=4662992925097984 <style> div { -webkit-box-reflect: below; </style> <div id="splitter""> <script> document.getElementById("splitter").style.display = "table-row"; </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 28 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c92b29db029d52d6423835f13741112867a3c00d commit c92b29db029d52d6423835f13741112867a3c00d Author: chrishtr <chrishtr@chromium.org> Date: Wed Sep 28 02:25:55 2016 Avoid crashing for cases when cell/row parenting is not like a real table. BUG= 650877 Review-Url: https://codereview.chromium.org/2374923002 Cr-Commit-Position: refs/heads/master@{#421429} [add] https://crrev.com/c92b29db029d52d6423835f13741112867a3c00d/third_party/WebKit/LayoutTests/paint/invalidation/display-table-row-crash-expected.txt [add] https://crrev.com/c92b29db029d52d6423835f13741112867a3c00d/third_party/WebKit/LayoutTests/paint/invalidation/display-table-row-crash.html [modify] https://crrev.com/c92b29db029d52d6423835f13741112867a3c00d/third_party/WebKit/Source/core/layout/LayoutBox.cpp
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Sep 27 2016Labels: M-54 Te-Logged
Owner: chrishtr@chromium.org
Status: Assigned (was: Untriaged)