enclosingIntRect(layoutObjectMappedResult) == enclosingIntRect(result.boundingBo |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6500833010384896 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: enclosingIntRect(layoutObjectMappedResult) == enclosingIntRect(result.boundingBo blink::LayoutGeometryMap::mapToAncestor blink::LayoutGeometryMap::absoluteRect Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=443258:443393 Minimized Testcase (0.26 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97JX3jCvWLtJ-23cHaVFZtnK4We8-o9aaraxBs-p9lcUsFb2-NpAahxvWxsvMzvvv69R02wk-l4orKprhtrpoR_8jUDrS3w_kllx-J0Swm6nf7TJDriFHTj_4z27j7-rtcH8FwaDL0p2zTN6pAJljQux85EcaicJlKms-q_-_iQNGd_RvISUGDSAsHTDkMKA-j7mQlkTuRV6VsXC_b9AxdFxf62xI_S2wOAyKf4sZJdf5qkOAEu7nK2r_BODD8QCVj1fPm4fKHEU2O0WgaOl84U8yEJs9o6lxwc1jmTwO7NpZklejcEY7R37klIB2Lqxpfnt7d1vDIRHxpBPCefujPONpz1Ro6FRQ3ODXjFDc3iWG9xfWo?testcase_id=6500833010384896 <style> div { transform: scale(2) rotate(90deg); </style> <div style="-webkit-columns:3;"> <span id="elm" the second line is in the third column. --> <script> var rects = document.getElementById('elm').getClientRects(); </script> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 26 2017
It seems that the transform on the multicol is not respected when pushing mapping into LayoutGeometryMap. mstensho@opera.com, can you take a look?
,
Jun 19 2017
Pretty obvious what's going wrong here, but I'm not sure where it should be fixed.
#3 0x00007fffea044366 in blink::LayoutGeometryMap::MapToAncestor (this=0x7fffb5a66600, rect=..., ancestor=0x0)
at gen/third_party/WebKit/Source/core/layout/../../../../../../../../third_party/WebKit/Source/core/layout/LayoutGeometryMap.cpp:189
#4 0x00007fffea0c5829 in blink::LayoutGeometryMap::AbsoluteRect (this=0x7fffb5a66600, rect=...)
at ../../third_party/WebKit/Source/core/layout/LayoutGeometryMap.h:61
#5 0x00007fffea057926 in blink::(anonymous namespace)::AbsoluteQuadsGeneratorContext::operator() (this=0x7fffb5a665f8, rect=...)
at gen/third_party/WebKit/Source/core/layout/../../../../../../../../third_party/WebKit/Source/core/layout/LayoutInline.cpp:780
#6 0x00007fffea089c55 in blink::(anonymous namespace)::AbsoluteQuadsGeneratorContext::operator() (this=0x7fffb5a665f8, rect=...)
at gen/third_party/WebKit/Source/core/layout/../../../../../../../../third_party/WebKit/Source/core/layout/LayoutInline.cpp:782
#7 0x00007fffea089b42 in blink::LayoutInline::GenerateCulledLineBoxRects<blink::(anonymous namespace)::AbsoluteQuadsGeneratorContext> (this=0x3e375963c010, yield=..., container=0x3e375963c010)
at gen/third_party/WebKit/Source/core/layout/../../../../../../../../third_party/WebKit/Source/core/layout/LayoutInline.cpp:714
#8 0x00007fffea057859 in blink::LayoutInline::GenerateLineBoxRects<blink::(anonymous namespace)::AbsoluteQuadsGeneratorContext>
(this=0x3e375963c010, yield=...)
at gen/third_party/WebKit/Source/core/layout/../../../../../../../../third_party/WebKit/Source/core/layout/LayoutInline.cpp:616
#9 0x00007fffea057750 in blink::LayoutInline::AbsoluteQuadsForSelf (this=0x3e375963c010,
quads=WTF::Vector of length 0, capacity 0, mode=0)
at gen/third_party/WebKit/Source/core/layout/../../../../../../../../third_party/WebKit/Source/core/layout/LayoutInline.cpp:794
#10 0x00007fffea01fd36 in blink::LayoutBoxModelObject::AbsoluteQuads (this=0x3e375963c010,
quads=WTF::Vector of length 0, capacity 0, mode=0)
at gen/third_party/WebKit/Source/core/layout/../../../../../../../../third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp:695
#11 0x00007fffe965bb28 in blink::Element::ClientQuads (this=0x28fa75063b70, quads=WTF::Vector of length 0, capacity 0)
at gen/third_party/WebKit/Source/core/dom/../../../../../../../../third_party/WebKit/Source/core/dom/Element.cpp:1240
Element::ClientQuads() doesn't specify the mode parameter, so we get no flags set. No kUseTransforms, nothing. I don't know if this is correct.
Anyway, MapToAncestor() in frame #3 invokes the other MapToAncestor() method (TransformState&, const LayoutBoxModelObject* ancestor), which realizes that we HasNonUniformStep(), and MapLocalToAncestor() calls on its own, without adding any other flag than kApplyContainerFlip. |ancestor| is nullptr, so we walk all the way to the root, which is fine.
The test code, that DCHECKs if the result is sane, calls LayoutObject::LocalToAncestorQuad(), which supplies kUseTransforms. MapLocalToAncestor(), on the other hand, doesn't supply anything.
So, how should we make sure that kUseTransforms is included? Should we perhaps call LocalToAncestorQuad() instead of MapLocalToAncestor() directly? The MapLocalToAncestor() documentation mentions that "[y]ou should never need to call these directly; use localToAbsolute/ absoluteToLocal methods instead.". :)
,
Jun 19 2017
+chrishtr for idea about #3.
,
Jun 20 2017
You should add kUseTransforms to the call to AbsoluteQuads from Element::ClientQuads. Transform is already included for boxes, since LayoutBox::AbsoluteQuads calls LayoutBox::LocalToAncestorQuad, which adds kUseTransforms as you mentioned.
,
Jun 20 2017
Thanks, I'll try that.
,
Jun 21 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5f519ec9467adf9c3073628e9b8eac7e5a6d87ea commit 5f519ec9467adf9c3073628e9b8eac7e5a6d87ea Author: Morten Stenshorne <mstensho@opera.com> Date: Wed Jun 21 00:12:38 2017 Element::ClientQuads() needs to take transforms into account. In LayoutGeometryMap, when there's a non-uniform step (e.g. when inside multicol), we fall back on doing it the slow way, i.e. we involve LayoutObject::MapLocalToAncestor(). The mode flags initially passed from ClientQuads() will just be echoed here, so we need to make sure that kUseTransforms is specified. BUG= 683925 Change-Id: I2a6fe83fb1332a19a581203d6c44c6924da3f027 Reviewed-on: https://chromium-review.googlesource.com/541339 Reviewed-by: Chris harrelson <chrishtr@chromium.org> Commit-Queue: Morten Stenshorne <mstensho@opera.com> Cr-Commit-Position: refs/heads/master@{#481039} [add] https://crrev.com/5f519ec9467adf9c3073628e9b8eac7e5a6d87ea/third_party/WebKit/LayoutTests/transforms/inline-in-transformed-multicol.html [add] https://crrev.com/5f519ec9467adf9c3073628e9b8eac7e5a6d87ea/third_party/WebKit/LayoutTests/transforms/transformed-inline-block-in-multicol.html [modify] https://crrev.com/5f519ec9467adf9c3073628e9b8eac7e5a6d87ea/third_party/WebKit/Source/core/dom/Element.cpp
,
Jun 21 2017
,
Jun 21 2017
ClusterFuzz has detected this issue as fixed in range 481038:481050. Detailed report: https://clusterfuzz.com/testcase?key=6500833010384896 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: enclosingIntRect(layoutObjectMappedResult) == enclosingIntRect(result.boundingBo blink::LayoutGeometryMap::mapToAncestor blink::LayoutGeometryMap::absoluteRect Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=443258:443393 Fixed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=481038:481050 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6500833010384896 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||
►
Sign in to add a comment |
||||
Comment 1 by mummare...@chromium.org
, Jan 24 2017Labels: Test-Predator-Wrong M-57
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Untriaged)