!isDirty() in RootInlineBox.h |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4599355324760064 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !isDirty() in RootInlineBox.h blink::RootInlineBox::appendFloat blink::LayoutBlockFlow::appendFloatingObjectToLastLine Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=443258:443393 Minimized Testcase (0.74 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95t6t_ABjWrGdPzjfOtcNWgZ80PVwJ0_JgjZc_qfc_AH85ZQqS3NmfcXIsJqRhSSu6CmhKGNWHmVvCNZTijhKVtWs5O2dVB6F8oOu-wbi1CcEDIKJiG7AROQK4L6lXVtvt6hSOlKmhkaF0NdpFBz_r_DUflbbHN1Wee-1yyed13g67OZAs47GcJ4cri5mssy4u2uHRsUAVIm7Pjkied9PcP8srPz-iW_Rkq5pbDwh54f-ut3REBcGL1rFv0CZjRvALLJbjxGywpEPoG_xpxjvjNZdTlL5IcBVi90YE2ahVyg4_YABszVDAukGKvMBOnMe2Rou51VbY07Mg9oS8X1-UIk_H9_stSsVIPUb2hFo3Gzws_5tE?testcase_id=4599355324760064 Additional requirements: Requires HTTP Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 30 2017
Predator and CL did not find any possible suspects. Using Code Search for the file, "RootInlineBox.h" assigning to the concern owner. Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/2ac0bb3d271e109b6f71929eecc1e44442f9576b @kojii -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Jan 30 2017
Not that one... I can't see the regression range, but isn't there anything related with floats or other line layout? If none, this might be an old one, just started to trigger coincidentally. I can take a look, but not this week since I'm away from my main machine.
,
Feb 7 2017
mstensho@, any ideas? The call to placeNewFloats () in LineBreaker::skipLeadingWhitespace() seems to be changed in crrev.com/1899193007
,
Feb 7 2017
Don't know what introduced this, or if it's something old (nothing in the suggested regression range seems relevant), but LineBoxList::dirtyLinesFromChangedChild() appears to go on a joyride backwards in the layout tree if the child in question is a float. It ends up escaping the block formatting context it ought to be confined to, and will mark some earlier, completely irrelevant line box, as dirty. In our case it's the line box that we're about to finish laying out, and it asserts when it finds itself dirty when attempting to add a float. This bug causes visible layout problems, in addition to the assertion failure.
,
Feb 8 2017
Introduced by https://codereview.chromium.org/2411773003 Fix attempt here: https://codereview.chromium.org/2686913002
,
Feb 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bca58229049615bbe64a1ece05592ddce3561deb commit bca58229049615bbe64a1ece05592ddce3561deb Author: mstensho <mstensho@opera.com> Date: Thu Feb 09 08:37:15 2017 Stay within the containing block when looking for a line to dirty. BUG= 686469 Review-Url: https://codereview.chromium.org/2686913002 Cr-Commit-Position: refs/heads/master@{#449237} [add] https://crrev.com/bca58229049615bbe64a1ece05592ddce3561deb/third_party/WebKit/LayoutTests/fast/block/float/relayout-nested-float-after-line.html [modify] https://crrev.com/bca58229049615bbe64a1ece05592ddce3561deb/third_party/WebKit/Source/core/layout/line/LineBoxList.cpp
,
Feb 9 2017
,
Feb 10 2017
ClusterFuzz has detected this issue as fixed in range 449231:449250. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4599355324760064 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !isDirty() in RootInlineBox.h blink::RootInlineBox::appendFloat blink::LayoutBlockFlow::appendFloatingObjectToLastLine Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=443258:443393 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=449231:449250 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95t6t_ABjWrGdPzjfOtcNWgZ80PVwJ0_JgjZc_qfc_AH85ZQqS3NmfcXIsJqRhSSu6CmhKGNWHmVvCNZTijhKVtWs5O2dVB6F8oOu-wbi1CcEDIKJiG7AROQK4L6lXVtvt6hSOlKmhkaF0NdpFBz_r_DUflbbHN1Wee-1yyed13g67OZAs47GcJ4cri5mssy4u2uHRsUAVIm7Pjkied9PcP8srPz-iW_Rkq5pbDwh54f-ut3REBcGL1rFv0CZjRvALLJbjxGywpEPoG_xpxjvjNZdTlL5IcBVi90YE2ahVyg4_YABszVDAukGKvMBOnMe2Rou51VbY07Mg9oS8X1-UIk_H9_stSsVIPUb2hFo3Gzws_5tE?testcase_id=4599355324760064 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by tkent@chromium.org
, Jan 30 2017