New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 682597 link

Starred by 1 user
Status: WontFix
Owner:
msten...@opera.com
NOT IN USE
Closed: Feb 2017
Cc:
msrchandra@chromium.org
rmcilroy@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Floating-point-exception in blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset

Project Member Reported by ClusterFuzz, Jan 19 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5431941445976064

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_chrome_v8_arm_ignition
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset
  blink::LayoutFlowThread::pageRemainingLogicalHeightForOffset
  blink::LayoutBox::pageRemainingLogicalHeightForOffset
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm_ignition&range=436997:437094

Minimized Testcase (0.16 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96DrKrbV-RdDW3Fo3cRaXnjpQA_Yg6k0qUcWCoDPIfP2cnL1zrZmghZfYJD_xva5S_U-p2WbXERFLA-m3Z0QayJ78ky0WFVvAmnAE13gwGaTHaE3QL29uaHYBrBJlIye8OXnVfRMiM00fts9XUk74HQ3ORlpOF-0XCgF7e-ikwEqQSnlmRRlLFF58x2i9kJkmtHd-eSVzXFl-D66-n8ZmZpj7dFHZqZAjQi0rG4sRKT1sc9GdsLpp0xz2sn3qoOc4hRrpJV6pZz0NdX50LgJ9aBhx2COho5kg29dU-333HWNHqHESfpn-NtAJIcpJVnulJ3p51dkQzutZHBs3qk8nTHBb7LySqPtiVEt6ORj7eeU38eG8E?testcase_id=5431941445976064
  <script>
   try {
    __f_196();
} catch(e) { print(); }
  </script>
 <p>
   &gt;
  <menu>
   <style>
	 * { animation-name: cfpulse86; overflow-y: -webkit-paged-y;


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Jan 19 2017

Cc: msrchandra@chromium.org
Components: Blink>Layout
Labels: Test-Predator-Correct-CLs
Owner: msten...@opera.com
Status: Assigned (was: Untriaged)
Assigning to the concern owner find it results --
The result is a list of CLs that change the crashed files. 

Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/95342a4986af56783818b4a7f578f4b3b2bf5f2b
Time: Wed Dec 07 21:19:40 2016
File LayoutBox.cpp is changed in this cl (and is part of stack frame #3, "blink::LayoutBox::pageRemainingLogicalHeightForOffset")
Minimum distance from crash line to modified line: 54. (file: LayoutBox.cpp, crashed on: 5595, modified: 5541).

@mstensho -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by msten...@opera.com, Jan 19 2017 

I cannot reproduce this. https://codereview.chromium.org/2631013002 seems relevant, but it doesn't reproduce here, neither with nor without that patch.

Comment 3 by e...@chromium.org, Feb 2 2017

Status: WontFix (was: Assigned)

Sign in to add a comment