New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 687001 link

Starred by 1 user
Status: Verified
Owner:
msten...@opera.com
NOT IN USE
Closed: Mar 2017
Cc:
msten...@opera.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

logicalBottomInFlowThread >= m_logicalTopInFlowThread in MultiColumnFragmentaine

Project Member Reported by ClusterFuzz, Jan 31 2017

Comment 1 by dtapu...@chromium.org, Jan 31 2017

Components: Blink>Layout

Comment 2 by mummare...@chromium.org, Feb 1 2017

Cc: msten...@opera.com
Labels: Test-Predator-Wrong M-58

Comment 3 by e...@chromium.org, Feb 2 2017

Components: -Blink>Layout Blink>Layout>MultiCol
Labels: -Pri-1 Pri-2
Status: Assigned (was: Untriaged)

Comment 4 by msten...@opera.com, Feb 6 2017

Owner: msten...@opera.com

Comment 5 by msten...@opera.com, Feb 17 2017 

Only the unminimized test case is reproducible for me.

Comment 6 by msten...@opera.com, Feb 27 2017 

With https://codereview.chromium.org/2709013007/ the stack trace changed:

[7592:7622:0227/145210.863642:60549947436:FATAL:LayoutMultiColumnSet.cpp(95)] Check failed: m_fragmentainerGroups.size() == 1. 
#0 0x7f2d76a8720b base::debug::StackTrace::StackTrace()
#1 0x7f2d76a8584c base::debug::StackTrace::StackTrace()
#2 0x7f2d76af3a1f logging::LogMessage::~LogMessage()
#3 0x7f2d6d9343ab blink::LayoutMultiColumnSet::pageLogicalHeightForOffset()
#4 0x7f2d6d8f5d3c blink::LayoutFlowThread::pageLogicalHeightForOffset()
#5 0x7f2d6d8b1aa5 blink::LayoutBox::pageLogicalHeightForOffset()
#6 0x7f2d6d8b1c08 blink::LayoutBox::childNeedsRelayoutForPagination()
#7 0x7f2d6d8b1eb4 blink::LayoutBox::markChildForPaginationRelayoutIfNeeded()
#8 0x7f2d6d86af49 blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded()
#9 0x7f2d6d86b340 blink::LayoutBlockFlow::layoutBlockChild()
#10 0x7f2d6d86a084 blink::LayoutBlockFlow::layoutBlockChildren()
#11 0x7f2d6d86821e blink::LayoutBlockFlow::layoutChildren()
#12 0x7f2d6d867c82 blink::LayoutBlockFlow::layoutBlock()
#13 0x7f2d6d8518cc blink::LayoutBlock::layout()
#14 0x7f2d6d8f5921 blink::LayoutFlowThread::layout()
#15 0x7f2d6d931a3c blink::LayoutMultiColumnFlowThread::layout()
#16 0x7f2d6d92e2f8 blink::LayoutMultiColumnFlowThread::layoutColumns()
#17 0x7f2d6d8667b7 blink::LayoutBlockFlow::layoutSpecialExcludedChild()
#18 0x7f2d6d869ca2 blink::LayoutBlockFlow::layoutBlockChildren()
#19 0x7f2d6d86821e blink::LayoutBlockFlow::layoutChildren()
#20 0x7f2d6d867c82 blink::LayoutBlockFlow::layoutBlock()
#21 0x7f2d6d8518cc blink::LayoutBlock::layout()
#22 0x7f2d6d86af7f blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded()
#23 0x7f2d6d86b340 blink::LayoutBlockFlow::layoutBlockChild()
#24 0x7f2d6d86a084 blink::LayoutBlockFlow::layoutBlockChildren()
#25 0x7f2d6d86821e blink::LayoutBlockFlow::layoutChildren()
#26 0x7f2d6d867c82 blink::LayoutBlockFlow::layoutBlock()
#27 0x7f2d6d8518cc blink::LayoutBlock::layout()
#28 0x7f2d6d8f5921 blink::LayoutFlowThread::layout()
#29 0x7f2d6d931a3c blink::LayoutMultiColumnFlowThread::layout()
#30 0x7f2d6d92e2f8 blink::LayoutMultiColumnFlowThread::layoutColumns()
#31 0x7f2d6d8667b7 blink::LayoutBlockFlow::layoutSpecialExcludedChild()
#32 0x7f2d6d869ca2 blink::LayoutBlockFlow::layoutBlockChildren()
#33 0x7f2d6d86821e blink::LayoutBlockFlow::layoutChildren()
#34 0x7f2d6d867c82 blink::LayoutBlockFlow::layoutBlock()
#35 0x7f2d6d8518cc blink::LayoutBlock::layout()
#36 0x7f2d6d86af7f blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded()
#37 0x7f2d6d86b340 blink::LayoutBlockFlow::layoutBlockChild()
#38 0x7f2d6d86a084 blink::LayoutBlockFlow::layoutBlockChildren()
#39 0x7f2d6d86821e blink::LayoutBlockFlow::layoutChildren()
#40 0x7f2d6d867c82 blink::LayoutBlockFlow::layoutBlock()
#41 0x7f2d6d8518cc blink::LayoutBlock::layout()
#42 0x7f2d6d9b90f2 blink::LayoutView::layoutContent()
#43 0x7f2d6d9b9947 blink::LayoutView::layout()
#44 0x7f2d6d304e50 blink::FrameView::performLayout()
#45 0x7f2d6d30217b blink::FrameView::layout()
#46 0x7f2d6cf0e5b3 blink::Document::updateStyleAndLayout()
#47 0x7f2d6cf0e375 blink::Document::updateStyleAndLayoutIgnorePendingStylesheets()
#48 0x7f2d6d3542fe blink::LocalDOMWindow::scrollTo()
#49 0x7f2d6e307efd blink::DOMWindowV8Internal::scrollTo2Method()
#50 0x7f2d6e2f7355 blink::DOMWindowV8Internal::scrollToMethod()
#51 0x7f2d6e2f7275 blink::V8Window::scrollToMethodCallback()
#52 0x7f2d71047adb v8::internal::FunctionCallbackArguments::Call()
#53 0x7f2d71119723 v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#54 0x7f2d71118260 v8::internal::Builtin_Impl_HandleApiCall()
#55 0x2f9f17004209 <unknown>
Project Member

Comment 7 by ClusterFuzz, Feb 28 2017 

ClusterFuzz has detected this issue as fixed in range 453200:453203.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5166984645050368

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  logicalBottomInFlowThread >= m_logicalTopInFlowThread in MultiColumnFragmentaine
  blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread
  blink::LayoutMultiColumnSet::endFlow
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=443258:443393
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=453200:453203

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97Lim9xNMcF_TSZBxpfINpk8sWxTzLDHRIavW1y3sQYnigBGN8lZ8qgykdMqxuCBKvD9Z303DtgL84W6FNGQ4npiEXZ7gXRUotmWFzOYLnITMdPvYXGndRHgtFg1g8nYC-vBWVyIU_62mvAM5NhdJkTAh5tO99xvZKixsdJvM89lKNWVH20LnwejZPPMPxWJFo13m8CKt7zKwBJtrE9-mTKX-dRDER5JqaIeSQevQs7U2ykNOa3UqXR4DlKkzxqWpecLmx0AN1_5EVZs9FsGjP1YZfOvN4AWOM4QxXiCYCYsM6Dax4z6V1EUr2wng8bA_4vPLEmHRp5cyXgSayx8LeH135s9jxYmjSjiqHA6hetTG3l-ac?testcase_id=5166984645050368


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Mar 1 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5166984645050368 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 9 by ClusterFuzz, Mar 1 2017 

ClusterFuzz has detected this issue as fixed in range 453200:453203.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5166984645050368

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  logicalBottomInFlowThread >= m_logicalTopInFlowThread in MultiColumnFragmentaine
  blink::MultiColumnFragmentainerGroup::setLogicalBottomInFlowThread
  blink::LayoutMultiColumnSet::endFlow
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=443258:443393
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=453200:453203

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97Lim9xNMcF_TSZBxpfINpk8sWxTzLDHRIavW1y3sQYnigBGN8lZ8qgykdMqxuCBKvD9Z303DtgL84W6FNGQ4npiEXZ7gXRUotmWFzOYLnITMdPvYXGndRHgtFg1g8nYC-vBWVyIU_62mvAM5NhdJkTAh5tO99xvZKixsdJvM89lKNWVH20LnwejZPPMPxWJFo13m8CKt7zKwBJtrE9-mTKX-dRDER5JqaIeSQevQs7U2ykNOa3UqXR4DlKkzxqWpecLmx0AN1_5EVZs9FsGjP1YZfOvN4AWOM4QxXiCYCYsM6Dax4z6V1EUr2wng8bA_4vPLEmHRp5cyXgSayx8LeH135s9jxYmjSjiqHA6hetTG3l-ac?testcase_id=5166984645050368


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment