New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 694252 link

Starred by 1 user
Status: WontFix
Owner:
robhogan@chromium.org
Use other robhogan account instead.
Closed: Mar 2017
Cc:
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Floating-point-exception in blink::LayoutDeprecatedFlexibleBox::layoutHorizontalBox

Project Member Reported by ClusterFuzz, Feb 20 2017

Comment 1 by msrchandra@chromium.org, Feb 23 2017

Cc: msrchandra@chromium.org
Components: Blink>Layout>Flexbox
Labels: Test-Predator-Wrong M-57
Owner: robhogan@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL did not find out any possible suspects.
Using Code Search for the file, "LayoutDeprecatedFlexibleBox.cpp" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/0ba2c64035b4ff978e61e2af1943b29f5a48fca3

@robhogan -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by robhogan@chromium.org, Feb 24 2017 

I get a different backtrace:

[robert@mwenge WebKit (133700-14)]$ ../../out/Release/content_shell LayoutTests/694252.html 
[1:1:0224/103728.594013:287802035927:FATAL:HashTable.h(1286)] Check failed: !isEmptyOrDeletedBucket(*entry). 
#0 0x7f965a15d577 base::debug::StackTrace::StackTrace()
#1 0x7f965a18187b logging::LogMessage::~LogMessage()
#2 0x7f96561688a6 WTF::HashTable<>::add<>()
#3 0x7f965616616a blink::FlexBoxIterator::next()
#4 0x7f9656165e38 blink::gatherFlexChildrenInfo()
#5 0x7f96561626b9 blink::LayoutDeprecatedFlexibleBox::layoutHorizontalBox()
#6 0x7f9656162395 blink::LayoutDeprecatedFlexibleBox::layoutBlock()
#7 0x7f9656107c11 blink::LayoutBlock::layout()
#8 0x7f96561628ee blink::LayoutDeprecatedFlexibleBox::layoutHorizontalBox()
#9 0x7f9656162395 blink::LayoutDeprecatedFlexibleBox::layoutBlock()
#10 0x7f9656107c11 blink::LayoutBlock::layout()
#11 0x7f9656117dbc blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded()
#12 0x7f96561181aa blink::LayoutBlockFlow::layoutBlockChild()
#13 0x7f9656116e0e blink::LayoutBlockFlow::layoutBlockChildren()
#14 0x7f9656114ea7 blink::LayoutBlockFlow::layoutChildren()
#15 0x7f9656114a11 blink::LayoutBlockFlow::layoutBlock()
#16 0x7f9656107c11 blink::LayoutBlock::layout()
#17 0x7f96562100e6 blink::LayoutView::layoutContent()
#18 0x7f96562107a0 blink::LayoutView::layout()
#19 0x7f9655dd74b4 blink::FrameView::performLayout()
#20 0x7f9655dd4119 blink::FrameView::layout()
#21 0x7f9655b57e26 blink::Document::implicitClose()
#22 0x7f96562f3205 blink::FrameLoader::checkCompleted()
#23 0x7f9655b67d9a blink::Document::decrementLoadEventDelayCountAndCheckLoadEvent()
#24 0x7f9655bc233c blink::IncrementLoadEventDelayCount::clearAndCheckLoadEvent()
#25 0x7f9655f03edc blink::HTMLStyleElement::dispatchPendingEvent()
#26 0x7f9655ebfb49 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink15HTMLLinkElementEFvSt10unique_ptrINS3_28IncrementLoadEventDelayCountESt14default_deleteIS6_EEEJNS3_10PersistentIS4_EEN3WTF13PassedWrapperIS9_EEEEEFvvEE3RunEPNS0
_13BindStateBaseE
#27 0x7f965a15e059 base::debug::TaskAnnotator::RunTask()
#28 0x7f96573a0d60 blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#29 0x7f965739e8ff blink::scheduler::TaskQueueManager::DoWork()
#30 0x7f96573a3125 _ZN4base8internal13FunctorTraitsIMN5blink9scheduler16TaskQueueManagerEFvbEvE6InvokeIRKNS_7WeakPtrIS4_EEJRKbEEEvS6_OT_DpOT0_
#31 0x7f965a15e059 base::debug::TaskAnnotator::RunTask()
#32 0x7f965a18f0dd base::MessageLoop::RunTask()
#33 0x7f965a18fa76 base::MessageLoop::DoWork()
#34 0x7f965a191469 base::MessagePumpDefault::Run()
#35 0x7f965a18ee33 base::MessageLoop::RunHandler()
#36 0x7f965a1c39dc base::RunLoop::Run()
[0] 0:[tmux]* 1:vim-

Comment 3 by e...@chromium.org, Mar 1 2017

Status: WontFix (was: Assigned)
Hits an assert and is not a security issue either way. Likely not worth fixing.
Project Member

Comment 4 by ClusterFuzz, Mar 9 2017 

ClusterFuzz has detected this issue as fixed in range 455091:455394.

Detailed report: https://clusterfuzz.com/testcase?key=5595738378862592

Fuzzer: bj_broddelwerk
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  blink::LayoutDeprecatedFlexibleBox::layoutHorizontalBox
  blink::LayoutDeprecatedFlexibleBox::layoutBlock
  blink::LayoutBlock::layout
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=344607:344814
Fixed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=455091:455394

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95jl2PTpC2akx5bpCgqScYJVuUo2XWoXzFtjxcwjDqrZwABsVFXWJcuYsL6O5cU8UCGLGvb-hwIQ7tv6pf6KhN-9rBJNvDCBUyFAnAX9vxwxaIavU98nLnbFaTWiPoW33toc1eLQrAYqlsvi2QdLwOPL-y7r3SxfHnWnL5oDaKeBXnP3g5j2IKXHDDhR5lN3yptVomHqQFisxjo4Bn5WVYFXPFL9h99pWaFkVGST5TS7dOvwhsKBhjWTEEFQ260wWTPrgRkuW_wnBWB-ymppsPyNV-qOGBLguU_87rSk84RA8EIAtH97Ne4i2--f506DZR_iz3-nL3grgFeWJ-gwlOz2xOQ4VHQCF0c_VTKyCkZ2z8ugxQQJrgKWp5fikrkmDlg-6CgOoBGJ3thsGl6uW0-6qHtgQ?testcase_id=5595738378862592


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment