DCHECK: before.type() == after.type() in CSSLengthInterpolationType.cpp |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6282299034566656 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: before.type() == after.type() in CSSLengthInterpolationType.cpp blink::CSSLengthInterpolationType::applyStandardPropertyValue blink::CSSInterpolationType::apply Sanitizer: address (ASAN) Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv953De7xlFA53pjxZHkTGHoFANpN8nyDrazINl3asU3g1HDpF3Df0bhrW3FZ-XOx8XYGlsQ_4BlyQx8ZyHhw-jctJeQvnpFr-A45IrDdx1DnMcmeN7ai2dHyUNoFwdRKgBspDt4ZKcxu2i1qUAmTOyO1Z2o0E_msThEfY8ixwI7nDs5xw5i-KvyMLt2oiYVnPD3roOAXS6FVx6sI6lcprLsWOaPLvUYwz0Uy3CH5w0jcDd1aEYS-vdDJfiEt7QL-OkC-h8eFml_-9vxcpFCu9r1Lx7KbG3VAFc1OXUYLY-jFPeuzNeU8BDFhh9oeWwSJLfOBSACarR3uBLCoPKdOGUK6He7-fIBwpFQrHQZN2LMzpHgBgX6oem4vpOfIUQdzWrk6o8-5tlL82ykZRfcpUdGoZ4tZOQ?testcase_id=6282299034566656 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Feb 14 2017
Thanks for passing this on. This is coincidentally very timely with a refactor for CSS Transitions I'm doing.
,
Feb 14 2017
,
Feb 14 2017
,
Feb 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0918ae11092a7ee1b278cc1a55259e7d886f156d commit 0918ae11092a7ee1b278cc1a55259e7d886f156d Author: alancutter <alancutter@chromium.org> Date: Fri Feb 17 02:48:32 2017 Reduce strictness of length animation DCHECK This patch reduces the strictness of the check in length animations that the applied value matches what the StyleBuilder would apply for the equivalent CSSValue. In the case of 0% values there are negligible differences in internal representation. With this patch the code no longer asserts on Length type, instead it checks a more general isSpecified() property that distinguishes keyword lengths from pixel and percentage lengths. BUG= 691182 Review-Url: https://codereview.chromium.org/2697743002 Cr-Commit-Position: refs/heads/master@{#451198} [add] https://crrev.com/0918ae11092a7ee1b278cc1a55259e7d886f156d/third_party/WebKit/LayoutTests/animations/length-zero-percent-crash.html [modify] https://crrev.com/0918ae11092a7ee1b278cc1a55259e7d886f156d/third_party/WebKit/Source/core/animation/CSSLengthInterpolationType.cpp
,
Feb 17 2017
,
Mar 1 2017
ClusterFuzz has detected this issue as fixed in range 451144:451201. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6282299034566656 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: before.type() == after.type() in CSSLengthInterpolationType.cpp blink::CSSLengthInterpolationType::applyStandardPropertyValue blink::CSSInterpolationType::apply Sanitizer: address (ASAN) Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=451144:451201 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94LjuomVIUwsT8r_7SJEZ16XCjGbJ4xXMnW2XORgoNg9v7Z_5MKIb0ALr7pL92_efl7FSVDB697QLvXT_2MRQyxhgykXaPohhUNZIzJz0NY-01__mu2kvWJPK14vAk16RnoNMQWfvgIpPzhKiSEDPKKorsBh61EvbfLWwH79F115PNjoY2QFpsXO3qiU5uVo4WYdpeUeiB7npjr2IKxIZqYeBtkRxlh_aQ5zS75DTnTwjq0lfx8VRuvEgIsR40VCJex9sVDKlJ92SmHK9uBcp6uRmzhOXysjcIb177SzwZsjcjj5r4JF7JddsW6Xz6-OL8O2OS9_0XNL1xy0g2tK6FNoTUn4OowUNJIgqvVB6wgtTA_VXwumz5YKNeKCyo-F_iRXK-T7jGH4Yhy42bgv4mFkngsPw?testcase_id=6282299034566656 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||
►
Sign in to add a comment |
||||
Comment 1 by nyerramilli@google.com
, Feb 13 2017Components: Blink>CSS
Labels: -Type-Bug M-57 Test-Predator-Wrong-CLs Type-Bug-Regression
Owner: alancutter@chromium.org
Status: Assigned (was: Untriaged)