Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4743795444023296 Fuzzer: bj_broddelwerk Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: count <= maxElementCountInBackingStore<T>() in PartitionAllocator.h blink::LayoutMultiColumnSet::appendNewFragmentainerGroup blink::LayoutMultiColumnFlowThread::appendNewFragmentainerGroupIfNeeded Sanitizer: memory (MSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=442831:443393 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94qYAY2TK3OlqmL2Fjc8KdS22YppAUUh31FcB7IQKJukVhJSrO-1YzgdvwnxtbKJp6FRf-VKRmtXzidXLd1U5v5y3pzBgXmRBFc7LM0VkqaS0t1TB0lACW1tjwN2ROCRiJHnXcHUKOYYa_RitLDL5C2JSNzu9AWgsWPC1T3L03NGIlW5Reovv05IZgxNBdF0IRbn3qViOuvZT_ZJiiVFO58mpzvKa132shYbygU3TRcomhuPl17MaHK5p-P01hkiImWvK6gyceunwU1exTM_a0377WmA5kfRorDSFPdcaMJyXYPJeMYZZdAL29HXuVK5HsTYr9oiG9PuTs69azJbz5lIGIBFqTfyk5vRjk7S3pM5s0tOPw?testcase_id=4743795444023296 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Suspected CL https://chromium.googlesource.com/chromium/src/+/4da5a6bc55b8e3909b98f3e0f23d7c5d0cb9ecb8%5E%21/third_party/WebKit/Source/wtf/allocator/PartitionAllocator.h As per issue 683553 , assigning to mstensho@. please duplicate if both issues are same. Thank you.
Issue 683553 has been merged into this issue.
ClusterFuzz testcase 5243192497930240 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Yeah, that doesn't sound right. I'm working on a fix, but I haven't even submitted it yet. :)
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7fa349e632a44c152b05ca6a66ade5f2e5b3f139 commit 7fa349e632a44c152b05ca6a66ade5f2e5b3f139 Author: mstensho <mstensho@opera.com> Date: Thu Mar 02 22:39:16 2017 Respect constrained height on nested multicol containers. If there's no more space in an inner multicol container (according to e.g. its height or max-height), don't create any additional fragmentainer groups (i.e. column rows). The spec isn't clear here, but this change moves us closer to Edge, and also eliminates cases where we'd previously end up with pathological numbers of fragmentainer groups. Also flipped the logic in hasFragmentainerGroupForColumnAt(), and renamed it to needsNewFragmentainerGroupAt(). BUG= 688158 Review-Url: https://codereview.chromium.org/2725943003 Cr-Commit-Position: refs/heads/master@{#454411} [add] https://crrev.com/7fa349e632a44c152b05ca6a66ade5f2e5b3f139/third_party/WebKit/LayoutTests/fast/multicol/nested-very-tall-inside-short-crash.html [add] https://crrev.com/7fa349e632a44c152b05ca6a66ade5f2e5b3f139/third_party/WebKit/LayoutTests/fast/multicol/tall-content-in-inner-with-fixed-height-expected.html [add] https://crrev.com/7fa349e632a44c152b05ca6a66ade5f2e5b3f139/third_party/WebKit/LayoutTests/fast/multicol/tall-content-in-inner-with-fixed-height.html [modify] https://crrev.com/7fa349e632a44c152b05ca6a66ade5f2e5b3f139/third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp [modify] https://crrev.com/7fa349e632a44c152b05ca6a66ade5f2e5b3f139/third_party/WebKit/Source/core/layout/LayoutMultiColumnSet.cpp [modify] https://crrev.com/7fa349e632a44c152b05ca6a66ade5f2e5b3f139/third_party/WebKit/Source/core/layout/LayoutMultiColumnSet.h
ClusterFuzz has detected this issue as fixed in range 454393:454453. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4743795444023296 Fuzzer: bj_broddelwerk Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: count <= maxElementCountInBackingStore<T>() in PartitionAllocator.h blink::LayoutMultiColumnSet::appendNewFragmentainerGroup blink::LayoutMultiColumnFlowThread::appendNewFragmentainerGroupIfNeeded Sanitizer: memory (MSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=442831:443393 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=454393:454453 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94qYAY2TK3OlqmL2Fjc8KdS22YppAUUh31FcB7IQKJukVhJSrO-1YzgdvwnxtbKJp6FRf-VKRmtXzidXLd1U5v5y3pzBgXmRBFc7LM0VkqaS0t1TB0lACW1tjwN2ROCRiJHnXcHUKOYYa_RitLDL5C2JSNzu9AWgsWPC1T3L03NGIlW5Reovv05IZgxNBdF0IRbn3qViOuvZT_ZJiiVFO58mpzvKa132shYbygU3TRcomhuPl17MaHK5p-P01hkiImWvK6gyceunwU1exTM_a0377WmA5kfRorDSFPdcaMJyXYPJeMYZZdAL29HXuVK5HsTYr9oiG9PuTs69azJbz5lIGIBFqTfyk5vRjk7S3pM5s0tOPw?testcase_id=4743795444023296 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by mummare...@chromium.org
, Feb 3 2017Components: Blink>Layout>MultiCol
Labels: Test-Predator-Wrong M-57
Owner: msten...@opera.com
Status: Assigned (was: Untriaged)