Floating-point-exception in intMod |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5609633038467072 Fuzzer: bj_broddelwerk Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Floating-point-exception Crash Address: Crash State: intMod blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset adjustedMarginBeforeForPagination Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=435881:435933 Minimized Testcase (0.51 Kb): https://cluster-fuzz.appspot.com/download/AMIfv967-Y6FLH1D4XuJE6S6REIh9CN3YyDVedU3gGNA7mLheo-yOvGl1nIVPwYO9460zfv8fBid6uGRMJc9QTzNQia2uZsijJcPWpDIyl1o6Df_M0lKDhyZHyWPYzppuNA8YY-xL-AzvYwcTAyibjWSxlo23GX_EQ?testcase_id=5609633038467072 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 5 2016
,
Dec 5 2016
Issue 670901 has been merged into this issue.
,
Dec 5 2016
,
Dec 7 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/95342a4986af56783818b4a7f578f4b3b2bf5f2b commit 95342a4986af56783818b4a7f578f4b3b2bf5f2b Author: mstensho <mstensho@opera.com> Date: Wed Dec 07 21:19:40 2016 Better isPageLogicalHeightKnown() implementation. Need to consult the flow thread, if we have one. We may run into situations where fragmentainer groups in the first column set have got their height calculated, while later column sets still haven't calculated it [1]. So checking if flow thread offset 0 is in a fragmentainer of known height isn't good enough. Also moved the implementation from LayoutBlock to LayoutBox, since it's pretty coincidental that we currently don't need this particular method outside of LayoutBlock. [1] LayoutMultiColumnSet::recalculateColumnHeight() may reset the column heights if it detects that the column set has been moved since previous layout pass. BUG= 670902 Review-Url: https://codereview.chromium.org/2553133002 Cr-Commit-Position: refs/heads/master@{#437063} [add] https://crrev.com/95342a4986af56783818b4a7f578f4b3b2bf5f2b/third_party/WebKit/LayoutTests/fast/multicol/nested-with-spanner-and-margin-crash.html [modify] https://crrev.com/95342a4986af56783818b4a7f578f4b3b2bf5f2b/third_party/WebKit/Source/core/layout/LayoutBlock.h [modify] https://crrev.com/95342a4986af56783818b4a7f578f4b3b2bf5f2b/third_party/WebKit/Source/core/layout/LayoutBox.cpp [modify] https://crrev.com/95342a4986af56783818b4a7f578f4b3b2bf5f2b/third_party/WebKit/Source/core/layout/LayoutBox.h
,
Dec 7 2016
,
Dec 8 2016
ClusterFuzz has detected this issue as fixed in range 437053:437094. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5609633038467072 Fuzzer: bj_broddelwerk Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Floating-point-exception Crash Address: Crash State: intMod blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset adjustedMarginBeforeForPagination Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=435881:435933 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=437053:437094 Minimized Testcase (0.51 Kb): https://cluster-fuzz.appspot.com/download/AMIfv967-Y6FLH1D4XuJE6S6REIh9CN3YyDVedU3gGNA7mLheo-yOvGl1nIVPwYO9460zfv8fBid6uGRMJc9QTzNQia2uZsijJcPWpDIyl1o6Df_M0lKDhyZHyWPYzppuNA8YY-xL-AzvYwcTAyibjWSxlo23GX_EQ?testcase_id=5609633038467072 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 10 2016
Issue 673012 has been merged into this issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by mummare...@chromium.org
, Dec 3 2016Components: Blink>Layout
Labels: M-57 Test-Predator-Correct-CLs
Owner: e...@chromium.org
Status: Assigned (was: Untriaged)