wkorman, I'm wondering if you might be able to help find an owner for this? Nothing in the regression range looks particularly suspicious, at least not to my eyes which are not very familiar with this code...

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Attempting to view:

https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=441524:442831

is reporting an error as 'Failed to get component rev list.'. I tried an incognito window logged in as both corp and chromium accounts.

Potentially related to http://crbug.com/680423.

The test contains 'float:right', but the patch seems not to fix it.

I almost always ignore the regression ranges given by clusterfuzz because they are often incorrect and too wide.

+mbarbella@ to have a look at #7 - I see that problem too.

This bug is reported as M57 Beta blocker and we're very close to M57 Beta promotion on Thursday (02/02). Please plan to have fix ready and merged to M57 branch 2987 by 5:00 PM PT, tomorrow, Wednesday (02/01). Thank you.

Apologies, I missed seeing c#11 until now and it is already after M57 Beta promotion.

If this is really high priority wangxianzhu@ would be better to look at this as it is likely closely related to similar issues he has reworked/fixed recently. Passing to him for consideration/input. If it is not related to your other float work feel free to pass back to me.

Reduced test case
<script>
setTimeout(function() {
  input2.parentNode.insertBefore(span, input2);
}, 0);
</script> 
<span style="opacity: 0.9">
  <div id="div1" style="columns: 1; float: left">
    <button>
      <span id="span">SPAN</span>
    </button>
    <button>
      <input id="input2">
    </button>
  </div>
</span>

Deleted: c.html 307 bytes

c.html 307 bytes View Download

A friendly reminder that M57 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bfa6918b9aaf67f812459e5757e46485ff8ae1d4

commit bfa6918b9aaf67f812459e5757e46485ff8ae1d4
Author: wangxianzhu <wangxianzhu@chromium.org>
Date: Thu Feb 09 06:12:24 2017

Fix PaintLayer::compositingContainer for self-painting non-stacked layers

A self-painting non-stacked layer always paint itself through the normal
flow list of its parent, no matter if the parent is the containing layer.
This affects float layer under a stacked inline layer. If the float
layer is self-painting but not stacked, it's painted from its parent
instead of its containing layer.

BUG= 686481 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2682933002
Cr-Commit-Position: refs/heads/master@{#449219}

[add] https://crrev.com/bfa6918b9aaf67f812459e5757e46485ff8ae1d4/third_party/WebKit/LayoutTests/paint/invalidation/column-float-under-stacked-inline-expected.html
[add] https://crrev.com/bfa6918b9aaf67f812459e5757e46485ff8ae1d4/third_party/WebKit/LayoutTests/paint/invalidation/column-float-under-stacked-inline.html
[modify] https://crrev.com/bfa6918b9aaf67f812459e5757e46485ff8ae1d4/third_party/WebKit/Source/core/paint/PaintLayer.cpp
[modify] https://crrev.com/bfa6918b9aaf67f812459e5757e46485ff8ae1d4/third_party/WebKit/Source/core/paint/PaintLayerTest.cpp

Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 449206:449250.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6010701979320320

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x608000023da0
Crash State:
  blink::visualRectForDisplayItem
  blink::PaintController::commitNewDisplayItems
  blink::GraphicsLayer::paint
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=441524:442831
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=449206:449250

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97FU1-ERQWoweDzDMl9niAprhp8FjCdR4t_rTJ1_tFR7n2K4MTOPuyGfax4jHXbChJUDNj5fShSLOmY1F1EalAPygRpZs6CNCNoC4VqXWeU2gwCz-YFTqqw5hX54dJI0PAnaxkhN3DWx9M1dfvzuwq7tjkOKjyjZq2wpicRet4mGe08Ewzvuyy2jVU7LMl_rv_h5Vc35YJ6DLAX-eMRyn_OcLV0HIYTcRMqEVQm4qyZCoeGBn7gFBFPaJeRarWOpX5Z9ECQXkn5UUcPDZpPlxU9ktuqADXPPMePINVkpFv9HvbymH3Cu5qzgywa5GQlU1KBbWknmV1RXEi5vcEY-NRrxcy8PeJ9tOnKjf2xZwxqcZr1Op8?testcase_id=6010701979320320


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6010701979320320 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5ffefa7a3d0b13b25f70f436ac4b92c8d193e541

commit 5ffefa7a3d0b13b25f70f436ac4b92c8d193e541
Author: wangxianzhu <wangxianzhu@chromium.org>
Date: Fri Feb 10 20:04:03 2017

Fix PaintLayer::compositingContainer for self-painting non-stacked layers

A self-painting non-stacked layer always paint itself through the normal
flow list of its parent, no matter if the parent is the containing layer.
This affects float layer under a stacked inline layer. If the float
layer is self-painting but not stacked, it's painted from its parent
instead of its containing layer.

BUG= 686481 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
TBR=wangxianzhu@chromium.org
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2682933002
Cr-Original-Commit-Position: refs/heads/master@{#449219}
Review-Url: https://codereview.chromium.org/2690633002
Cr-Commit-Position: refs/branch-heads/2987@{#449}
Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}

[add] https://crrev.com/5ffefa7a3d0b13b25f70f436ac4b92c8d193e541/third_party/WebKit/LayoutTests/paint/invalidation/column-float-under-stacked-inline-expected.html
[add] https://crrev.com/5ffefa7a3d0b13b25f70f436ac4b92c8d193e541/third_party/WebKit/LayoutTests/paint/invalidation/column-float-under-stacked-inline.html
[modify] https://crrev.com/5ffefa7a3d0b13b25f70f436ac4b92c8d193e541/third_party/WebKit/Source/core/paint/PaintLayer.cpp
[modify] https://crrev.com/5ffefa7a3d0b13b25f70f436ac4b92c8d193e541/third_party/WebKit/Source/core/paint/PaintLayerTest.cpp

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot