New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 655067 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression



Sign in to add a comment

m_width.fitsOnLine(rect.width() - 1) in BreakingContextInlineHeaders.h

Project Member Reported by ClusterFuzz, Oct 12 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5290183006355456

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  m_width.fitsOnLine(rect.width() - 1) in BreakingContextInlineHeaders.h
  blink::BreakingContext::rewindToMidWordBreak
  blink::BreakingContext::handleText
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=393279:393304

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96NCPlTxz7TTCGYZUtfGp5be933pPtudtrhbd012wdRY0kVO4ZdDsaxks0ug-WygbRrtjwa8rr4xvTZhhZvTSQP62FJQnxXaYPZA7eTq0JTX2SNHqV_WaVMvhxxr0wli8QLA6lgHXfpgk1xeUeFvgUXN8InDg?testcase_id=5290183006355456
<div contenteditable="">S  d9r~I<span>drag<style>
* { shape-rendering: optimizeQuality; font-size: 28rem;


Issue manually filed by: nyerramilli

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: kyounga...@gmail.com nyerramilli@chromium.org e...@chromium.org
Components: Tools>Test>FindIt>NoResult
Labels: -Pri-1 -Type-Bug findit-wrong Te-Logged Pri-2 Type-Bug-Regression
Owner: kojii@chromium.org
Status: Assigned (was: Untriaged)
Providing Findit results for internal purpose:
Suspected CLs	Findit could not determine the memory tool from the stacktrace. Is it in a new format?

using codesearch, seeing some changes to 'BreakingContextInlineHeaders.h' in
https://chromium.googlesource.com/chromium/src/+/47e23e263b551925dccd72e0b170f64cf7ab8b9a

kyounga.ra@, could you please check the issue.

Comment 2 by kojii@chromium.org, Oct 17 2016

Given the previous fix still leaves some other cases for this to fire, and given this DCHECK isn't as fatal as I thought when I put it, I prefer to remove the DCHECK.
Sorry for late reply.

Then, I'm not authorized to access the detailed report and minimized testcase.

@kojii, I'm not sure about the text-layout,
But, even if the DCHECK is not fatal, there are wrong text-layout in that case, right? 
Project Member

Comment 4 by bugdroid1@chromium.org, Oct 18 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7063f99d4a6ae1b57d47d012b4e53c57f25187d6

commit 7063f99d4a6ae1b57d47d012b4e53c57f25187d6
Author: kojii <kojii@chromium.org>
Date: Tue Oct 18 01:20:27 2016

Remove DCHECK in BreakingContextInlineHeader that wasn't much useful

Originally thought this failure can lead to layout failures, but as we
understand failing cases, its failure does not look to cause any real
problems.

BUG= 655067 

Review-Url: https://codereview.chromium.org/2425593002
Cr-Commit-Position: refs/heads/master@{#425845}

[modify] https://crrev.com/7063f99d4a6ae1b57d47d012b4e53c57f25187d6/third_party/WebKit/Source/core/layout/line/BreakingContextInlineHeaders.h

Comment 5 Deleted

Comment 6 by kojii@chromium.org, Oct 18 2016

Status: Fixed (was: F)
Components: -Tools>Test>FindIt>NoResult
Project Member

Comment 8 by ClusterFuzz, Oct 19 2016

ClusterFuzz has detected this issue as fixed in range 425834:425887.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5290183006355456

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  m_width.fitsOnLine(rect.width() - 1) in BreakingContextInlineHeaders.h
  blink::BreakingContext::rewindToMidWordBreak
  blink::BreakingContext::handleText
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=393279:393304
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=425834:425887

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96NCPlTxz7TTCGYZUtfGp5be933pPtudtrhbd012wdRY0kVO4ZdDsaxks0ug-WygbRrtjwa8rr4xvTZhhZvTSQP62FJQnxXaYPZA7eTq0JTX2SNHqV_WaVMvhxxr0wli8QLA6lgHXfpgk1xeUeFvgUXN8InDg?testcase_id=5290183006355456
<div contenteditable="">S  d9r~I<span>drag<style>
* { shape-rendering: optimizeQuality; font-size: 28rem;


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment