Floating-point-exception in blink::TableLayoutAlgorithmFixed::layout |
||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6308243350749184 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Floating-point-exception Crash Address: Crash State: blink::TableLayoutAlgorithmFixed::layout blink::LayoutTable::layout blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=344607:344814 Minimized Testcase (0.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96PQPcGtLMfR4QWkzUFrmoE5AuKxXgwJTl5hw2QXWRLytzzshxbjLtju8DySG0FxapUvvfgUNUUlSYgwtl1GfeL9BTOLY0yrYhT3HlZDjo7JvB92O657lNwMgIDTzv8scc-eWx13hkKh2K-TPYyHwjWjybGdw?testcase_id=6308243350749184 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 1 2016
Why me? I have no commits in the blamed range and I don't work in Blink...
,
Nov 2 2016
,
Nov 7 2016
David could you take a look at this when you get a chance?
,
Nov 22 2016
,
Nov 22 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e47aea373e0ec97912b63c51797650dc55311336 commit e47aea373e0ec97912b63c51797650dc55311336 Author: dgrogan <dgrogan@chromium.org> Date: Fri Dec 16 06:08:45 2016 [css-tables] Fix divide-by-zero resulting from 32-bit overflow When col/colgroup spans added up to exactly 2^32, the result would overflow to 0, which was the divisor for a later operation. This patch clamps col spans to 8190, matching cell colspans. This makes the problem harder to trigger but doesn't eliminate it. BUG= 660581 Review-Url: https://codereview.chromium.org/2518163002 Cr-Commit-Position: refs/heads/master@{#439041} [modify] https://crrev.com/e47aea373e0ec97912b63c51797650dc55311336/third_party/WebKit/LayoutTests/TestExpectations [modify] https://crrev.com/e47aea373e0ec97912b63c51797650dc55311336/third_party/WebKit/LayoutTests/fast/dom/HTMLTableColElement/span-attribute.html [add] https://crrev.com/e47aea373e0ec97912b63c51797650dc55311336/third_party/WebKit/LayoutTests/fast/table/large-col-span-crash.html [modify] https://crrev.com/e47aea373e0ec97912b63c51797650dc55311336/third_party/WebKit/LayoutTests/imported/wpt/html/dom/reflection-tabular-expected.txt [modify] https://crrev.com/e47aea373e0ec97912b63c51797650dc55311336/third_party/WebKit/Source/core/html/HTMLTableCellElement.cpp [modify] https://crrev.com/e47aea373e0ec97912b63c51797650dc55311336/third_party/WebKit/Source/core/html/HTMLTableCellElement.h [modify] https://crrev.com/e47aea373e0ec97912b63c51797650dc55311336/third_party/WebKit/Source/core/html/HTMLTableColElement.cpp [modify] https://crrev.com/e47aea373e0ec97912b63c51797650dc55311336/third_party/WebKit/Source/core/layout/LayoutTableCell.cpp [modify] https://crrev.com/e47aea373e0ec97912b63c51797650dc55311336/third_party/WebKit/Source/core/layout/TableLayoutAlgorithmFixed.cpp
,
Dec 17 2016
ClusterFuzz has detected this issue as fixed in range 438853:439220. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6308243350749184 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Floating-point-exception Crash Address: Crash State: blink::TableLayoutAlgorithmFixed::layout blink::LayoutTable::layout blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=344607:344814 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=438853:439220 Minimized Testcase (0.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96PQPcGtLMfR4QWkzUFrmoE5AuKxXgwJTl5hw2QXWRLytzzshxbjLtju8DySG0FxapUvvfgUNUUlSYgwtl1GfeL9BTOLY0yrYhT3HlZDjo7JvB92O657lNwMgIDTzv8scc-eWx13hkKh2K-TPYyHwjWjybGdw?testcase_id=6308243350749184 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 17 2016
ClusterFuzz testcase 6308243350749184 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
May 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4489cf4203527eb29aa976563a48157cf273a5ad commit 4489cf4203527eb29aa976563a48157cf273a5ad Author: David Grogan <dgrogan@chromium.org> Date: Thu May 18 18:12:17 2017 [css-tables] Rebaseline fast/dom/HTMLTableColElement/span-attribute.html It has a funky character that rietveld can't handle. BUG= 660581 Change-Id: I58296c4eec5c322ec8d5235aae9270742e6dde0a Reviewed-on: https://chromium-review.googlesource.com/423110 Commit-Queue: David Grogan <dgrogan@chromium.org> Reviewed-by: Morten Stenshorne <mstensho@opera.com> Cr-Commit-Position: refs/heads/master@{#472873} [modify] https://crrev.com/4489cf4203527eb29aa976563a48157cf273a5ad/third_party/WebKit/LayoutTests/TestExpectations [modify] https://crrev.com/4489cf4203527eb29aa976563a48157cf273a5ad/third_party/WebKit/LayoutTests/html/tabular_data/col_span-expected.txt |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by mmohammad@chromium.org
, Oct 31 2016Status: Assigned (was: Untriaged)