New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 661761 link

Starred by 1 user
Status: Fixed
Owner:
msten...@opera.com
NOT IN USE
Closed: Nov 2016
Cc:
dcheng@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Crash in blink::LayoutMultiColumnFlowThread::flowThreadDescendantWillBeRemoved

Project Member Reported by ClusterFuzz, Nov 2 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5486792905326592

Fuzzer: marty_html_twiddler
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000003
Crash State:
  blink::LayoutMultiColumnFlowThread::flowThreadDescendantWillBeRemoved
  blink::LayoutObject::removeFromLayoutFlowThreadRecursive
  blink::LayoutObject::removeFromLayoutFlowThread
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=429254:429264

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97OcSdd1qpub0XIss6uoEobyB_rQ4IsQKqJyqUmkLWqZqFiqYCRy8IF1nrlLWG8up0His65Mjxof312Na4D0HwGgNnUZXaeLdzGrGvjnXyJ4GjJlzauEHJe88GPjSxHxMifXKq-Yrwv_SZAExFjUpP_eqjjsXGSgfSnKk0fX-suNOsr5aw?testcase_id=5486792905326592


Additional requirements: Requires Gestures

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmohammad@chromium.org, Nov 2 2016

Labels: Test-Predator-Wrong

Comment 2 by durga.behera@chromium.org, Nov 3 2016

Components: Blink>Layout
Labels: M-56
Owner: dcheng@chromium.org
Status: Assigned (was: Untriaged)
From code search suspecting the below.
Suspect : https://codereview.chromium.org/2366153002
dcheng@ : Could you please take a look into this if its related to your change,else please help assigning to an appropriate owner for this.
Currently its impacting to Head.

Comment 3 by dcheng@chromium.org, Nov 3 2016

Cc: dcheng@chromium.org
Owner: e...@chromium.org
That CL didn't touch any source files. I don't think anything in this particular area has changed recently, nor do I see any particularly suspicious CLs in that blame range (none are layout related).

Someone from the layout team should triage this, I guess columnSetToRemove is null somehow.

Comment 4 by e...@chromium.org, Nov 3 2016

Components: -Blink>Layout Blink>Layout>MultiCol
Labels: -Pri-1 Pri-2
Owner: msten...@opera.com

Comment 5 by msten...@opera.com, Nov 3 2016

tc-semi-reduced.html
3.4 KB View Download

Comment 6 by msten...@opera.com, Nov 4 2016

tc.html
424 bytes View Download
Project Member

Comment 7 by bugdroid1@chromium.org, Nov 4 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d97ab241d0580e1a2478e07963faa0b1f0004c9b

commit d97ab241d0580e1a2478e07963faa0b1f0004c9b
Author: mstensho <mstensho@opera.com>
Date: Fri Nov 04 20:39:03 2016

Descendants may become or cease to be spanners when an ancestor changes style.

When building the tree, when inserting something that looks like a
column spanner, we first examine all the parents all the way up to the
multicol container, to make sure that they are all valid spanner
containers. This already works fine.

In our implementation, a valid column spanner container is, roughly, a
"regular" in-flow block. Among other things, it may not establish a
new block formatting context. Nor transforms. And a few other
things.

If the style of a valid column spanner container changes, it may end
up as no longer being a valid spanner container, and vice versa: an
invalid spanner container may become a valid spanner container, all of
a sudden.

Detect this during style change. If a block ceases to be a valid
spanner container, we need to check its subtree for spanners, and turn
them into regular column content. And, vice versa, if a block is
turned into a valid spanner container, we need to check its subtree
for column-span:all objects, which may have to be changed from regular
column content into spanners.

BUG= 661761 

Review-Url: https://codereview.chromium.org/2479873002
Cr-Commit-Position: refs/heads/master@{#430005}

[add] https://crrev.com/d97ab241d0580e1a2478e07963faa0b1f0004c9b/third_party/WebKit/LayoutTests/fast/multicol/dynamic/former-spanner-in-float-in-continuation-crash.html
[add] https://crrev.com/d97ab241d0580e1a2478e07963faa0b1f0004c9b/third_party/WebKit/LayoutTests/fast/multicol/dynamic/invalid-spanner-container-becomes-valid.html
[add] https://crrev.com/d97ab241d0580e1a2478e07963faa0b1f0004c9b/third_party/WebKit/LayoutTests/fast/multicol/dynamic/valid-spanner-container-becomes-invalid.html
[modify] https://crrev.com/d97ab241d0580e1a2478e07963faa0b1f0004c9b/third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp
[modify] https://crrev.com/d97ab241d0580e1a2478e07963faa0b1f0004c9b/third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.h

Comment 8 by msten...@opera.com, Nov 4 2016

Status: Fixed (was: Assigned)
Project Member

Comment 9 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment