New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 686425 link

Starred by 3 users
Status: WontFix
Owner:
msten...@opera.com
NOT IN USE
Closed: May 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

columnIndex + 1 == actualColumnCount() in MultiColumnFragmentainerGroup.cpp

Project Member Reported by ClusterFuzz, Jan 28 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5234432945684480

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  columnIndex + 1 == actualColumnCount() in MultiColumnFragmentainerGroup.cpp
  blink::MultiColumnFragmentainerGroup::flowThreadPortionRectAt
  blink::FragmentainerIterator::fragmentainerInFlowThread
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=443258:443393

Minimized Testcase (0.27 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97oUGsSv_JT7-WHKSVDQdivtyf2MAYG9jFAvYQlYQxcw-BkVRN-47-wu07tq2-NRexBTYXWzm5tJ7bmxrl4QEEHYesuP0Evu8EGFVw1XA41iHv8NqbAAzlh1A66sfz95evyyq3hsqBv02ZD78_0a6jMBT9bqsCR6GDzd9tSft9BTelSrbeGf03DcWxem_icVk-LUWeMy6quNu29Gha0Wz_6hIZHx_ilJxqVIjUZ_tUJ9f543u_LIOui-T8OIve6F1X8WGDh070ktRi9HAaee9xxCIKu-pLi9ls7fnKQGSpyYlmZGbubh5poYP0F_Vz1o8Q8yW8vIJdKlzeCdzfVJyfYie0uSEonh1c4UzLMllEopbAsohA?testcase_id=5234432945684480
<div style="writing-mode:vertical-rl; columns:4;">
    <div style="columns:2;">
         style=width:80px;></div>
        <div style="columns:2;" id=innerMulticol> <!-- -->
<script>
;

        var rects = document.getElementById("innerMulticol").getClientRects();
    </script>


Additional requirements: Requires HTTP

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by tkent@chromium.org, Jan 30 2017

Components: Blink>Layout>MultiCol

Comment 2 by e...@chromium.org, Feb 2 2017

Labels: -Pri-1 Pri-2
Status: Available (was: Untriaged)

Comment 3 by msten...@opera.com, Mar 20 2017

Owner: msten...@opera.com
Status: Assigned (was: Available)

Comment 4 by msten...@opera.com, Mar 20 2017 

Still reproducible, but the code has moved around a little: The failed DCHECK is now in MultiColumnFragmentainerGroup::logicalHeightInFlowThreadAt().
tc.html
232 bytes View Download
Project Member

Comment 5 by ClusterFuzz, May 14 2017

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5234432945684480 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment