New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 683005 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Jun 2017
Cc:
wangxianzhu@chromium.org
brajkumar@chromium.org
e...@chromium.org
chrishtr@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

!currContainer->hasTransformRelatedProperty() in LayoutObject.cpp

Project Member Reported by ClusterFuzz, Jan 20 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6144103126663168

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !currContainer->hasTransformRelatedProperty() in LayoutObject.cpp
  blink::LayoutObject::offsetFromAncestorContainer
  blink::LayoutBoxModelObject::pushMappingToContainer
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=283188:283414

Minimized Testcase (0.53 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96jOYLEYL8Ixf7LLsrwnxClY5L4g7-r1hFKDLp0lK5IrMBSkcVmFpOqOM3II--fhxWmDFVkMEKPV4nu75WynQ39-PwJUdVIyyiB6EN6hYEVHjE9Ztc71qPR2AxqcDsH_5wIQFVnkLorg_zLg7FlA9JJJEB0P4eHLgJu0M3U36m36F8fLznoF9m5j_zDiUdNrEaoCWgSyR55ccodp-gOz7_ja_VRHNq3cO8fQeCISbme0Z8gL8sprHZaqX2qSHkKi4DudhsTd82Ch43WMiSzSs9Vt9prGPwMrHpV2AyuJwDld1V6aWI3pEs53cyoJdHZCKOW0I-Gfsec1KWOF_mw-bhQhGgNJOnb5Vu69A3W2wIudGOg_1I?testcase_id=6144103126663168
<style>
.c1 { overflow: visible; -webkit-transform: translate(100px, 100px); }
.c5 { overflow: scroll; position: fixed;</style>
<script>
var nodes = Array();
 nodes[79] = document.createElement('thead'); 
 document.documentElement.appendChild(nodes[79]); 
 nodes[85] = document.createElement('i'); 
 nodes[79].appendChild(nodes[85]); 
 nodes[87] = document.createElement('blockquote'); 
 nodes[87].setAttribute('class', 'c5'); 
setTimeout("try { nodes[79].setAttribute('class', 'c1'); } catch(e) {}");
 nodes[85].appendChild(nodes[87]); 
</script>


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by brajkumar@chromium.org, Jan 20 2017

Cc: brajkumar@chromium.org
Components: Blink>Layout
Labels: Test-Predator-Wrong
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Untriaged)
Find it and CL did not provide any possible suspect.
Using code search for file "ayoutObject.cpp" from line #9 suspecting the below change
Review URL: https://codereview.chromium.org/2436283002

wangxianzhu@ - Could you please check if this is caused with respect to your change, if not please help us in reassign the issue to the right owner.

Thanks!

Comment 2 by wangxianzhu@chromium.org, Jan 26 2017

Cc: chrishtr@chromium.org
Components: Blink>Compositing
Labels: -Pri-1 Pri-2
Reduced test case:
<table>
  <tr id="tr">
    <td style="position: fixed"></td>
  </tr>
</table>
<script>
setTimeout(function() {
  tr.style.transform = 'translateX(100px)';
}, 0); 
</script>
fuzz-1.html
173 bytes View Download

Comment 3 by wangxianzhu@chromium.org, Jan 26 2017

Cc: e...@chromium.org
Components: -Blink>Compositing
Owner: ----
Status: Available (was: Assigned)
The following assumption of no transform between an object and its container is incorrect:

  if (skipInfo.ancestorSkipped()) {
    // There can't be a transform between paintInvalidationContainer and
    // ancestorToStopAt, because transforms create containers, so it should be
    // safe to just subtract the delta between the ancestor and
    // ancestorToStopAt.
    adjustmentForSkippedAncestor =
        -ancestorToStopAt->offsetFromAncestorContainer(container);
  }

For example:
- fixed-position under non-block transformed object;
- float under transformed inline.

Comment 4 by chrishtr@chromium.org, Apr 25 2017

Cc: wangxianzhu@chromium.org
 Issue 715233  has been merged into this issue.
Project Member

Comment 5 by ClusterFuzz, May 17 2017

Labels: OS-Windows OS-Mac
Project Member

Comment 6 by ClusterFuzz, Jun 27 2017

Status: WontFix (was: Available)
ClusterFuzz testcase 5893196799541248 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment