New issue
Advanced search Search tips

Issue 691182 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

DCHECK: before.type() == after.type() in CSSLengthInterpolationType.cpp

Project Member Reported by ClusterFuzz, Feb 11 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6282299034566656

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  before.type() == after.type() in CSSLengthInterpolationType.cpp
  blink::CSSLengthInterpolationType::applyStandardPropertyValue
  blink::CSSInterpolationType::apply
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv953De7xlFA53pjxZHkTGHoFANpN8nyDrazINl3asU3g1HDpF3Df0bhrW3FZ-XOx8XYGlsQ_4BlyQx8ZyHhw-jctJeQvnpFr-A45IrDdx1DnMcmeN7ai2dHyUNoFwdRKgBspDt4ZKcxu2i1qUAmTOyO1Z2o0E_msThEfY8ixwI7nDs5xw5i-KvyMLt2oiYVnPD3roOAXS6FVx6sI6lcprLsWOaPLvUYwz0Uy3CH5w0jcDd1aEYS-vdDJfiEt7QL-OkC-h8eFml_-9vxcpFCu9r1Lx7KbG3VAFc1OXUYLY-jFPeuzNeU8BDFhh9oeWwSJLfOBSACarR3uBLCoPKdOGUK6He7-fIBwpFQrHQZN2LMzpHgBgX6oem4vpOfIUQdzWrk6o8-5tlL82ykZRfcpUdGoZ4tZOQ?testcase_id=6282299034566656


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: nyerramilli@chromium.org
Components: Blink>CSS
Labels: -Type-Bug M-57 Test-Predator-Wrong-CLs Type-Bug-Regression
Owner: alancutter@chromium.org
Status: Assigned (was: Untriaged)
Findit did not find any culprit results,

using codesearch, seeing recent some changes to 'CSSLengthInterpolationType.cpp' in
https://chromium.googlesource.com/chromium/src/+/3cd8efe88167f61d41362d233d6d2e04986f83f0

alancutter@ could you please check the issue and help.
Thanks for passing this on. This is coincidentally very timely with a refactor for CSS Transitions I'm doing.

Components: -Blink>CSS Blink>Animation
Labels: -Pri-1 -Type-Bug-Regression Pri-2 Type-Bug
Summary: DCHECK: before.type() == after.type() in CSSLengthInterpolationType.cpp (was: before.type() == after.type() in CSSLengthInterpolationType.cpp)

Comment 4 by nainar@chromium.org, Feb 14 2017

Labels: Update-Weekly
Project Member

Comment 5 by bugdroid1@chromium.org, Feb 17 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0918ae11092a7ee1b278cc1a55259e7d886f156d

commit 0918ae11092a7ee1b278cc1a55259e7d886f156d
Author: alancutter <alancutter@chromium.org>
Date: Fri Feb 17 02:48:32 2017

Reduce strictness of length animation DCHECK

This patch reduces the strictness of the check in length animations that
the applied value matches what the StyleBuilder would apply for the
equivalent CSSValue. In the case of 0% values there are negligible
differences in internal representation.

With this patch the code no longer asserts on Length type, instead it
checks a more general isSpecified() property that distinguishes
keyword lengths from pixel and percentage lengths.

BUG= 691182 

Review-Url: https://codereview.chromium.org/2697743002
Cr-Commit-Position: refs/heads/master@{#451198}

[add] https://crrev.com/0918ae11092a7ee1b278cc1a55259e7d886f156d/third_party/WebKit/LayoutTests/animations/length-zero-percent-crash.html
[modify] https://crrev.com/0918ae11092a7ee1b278cc1a55259e7d886f156d/third_party/WebKit/Source/core/animation/CSSLengthInterpolationType.cpp

Status: Fixed (was: Assigned)
Project Member

Comment 7 by ClusterFuzz, Mar 1 2017

ClusterFuzz has detected this issue as fixed in range 451144:451201.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6282299034566656

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  before.type() == after.type() in CSSLengthInterpolationType.cpp
  blink::CSSLengthInterpolationType::applyStandardPropertyValue
  blink::CSSInterpolationType::apply
  
Sanitizer: address (ASAN)

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=451144:451201

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94LjuomVIUwsT8r_7SJEZ16XCjGbJ4xXMnW2XORgoNg9v7Z_5MKIb0ALr7pL92_efl7FSVDB697QLvXT_2MRQyxhgykXaPohhUNZIzJz0NY-01__mu2kvWJPK14vAk16RnoNMQWfvgIpPzhKiSEDPKKorsBh61EvbfLWwH79F115PNjoY2QFpsXO3qiU5uVo4WYdpeUeiB7npjr2IKxIZqYeBtkRxlh_aQ5zS75DTnTwjq0lfx8VRuvEgIsR40VCJex9sVDKlJ92SmHK9uBcp6uRmzhOXysjcIb177SzwZsjcjj5r4JF7JddsW6Xz6-OL8O2OS9_0XNL1xy0g2tK6FNoTUn4OowUNJIgqvVB6wgtTA_VXwumz5YKNeKCyo-F_iRXK-T7jGH4Yhy42bgv4mFkngsPw?testcase_id=6282299034566656


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment