New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 697317 link

Starred by 1 user
Status: Fixed
Owner:
r...@igalia.com
Closed: Mar 2017
Cc:
jfernan...@igalia.com
r...@igalia.com
svil...@igalia.com
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

height >= 0 in LayoutBox.cpp

Project Member Reported by ClusterFuzz, Mar 1 2017

Comment 1 by msrchandra@chromium.org, Mar 1 2017

Cc: msrchandra@chromium.org
Components: Blink>Layout
Labels: M-58
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL did not find any possible suspects.
Using Code Search for the file, "LayoutBox.cpp" assigning to the concern owner who might be related.

@wangxianzhu -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by wangxianzhu@chromium.org, Mar 1 2017

Owner: ----
Status: Available (was: Assigned)
Route to Blink>Layout triage.

Comment 3 by e...@chromium.org, Mar 8 2017

Components: -Blink>Layout Blink>Layout>Grid
Labels: -Pri-1 Pri-2
Owner: svil...@igalia.com
Status: Assigned (was: Available)

Comment 4 by jfernan...@igalia.com, Mar 8 2017

Cc: jfernan...@igalia.com

Comment 5 by r...@igalia.com, Mar 8 2017

Cc: r...@igalia.com
I can verify it's reproducible. I've attached a reduced test case.
Note that it only happens in quirks mode.

This is the backtrace:

[8475:8507:0308/094746.880493:9353356213:FATAL:LayoutBox.cpp(1236)] Check failed: height >= 0. 
#0 0x7fbfefd86a4b base::debug::StackTrace::StackTrace()
#1 0x7fbfefd850dc base::debug::StackTrace::StackTrace()
#2 0x7fbfefdf35df logging::LogMessage::~LogMessage()
#3 0x7fbfe69b79b7 blink::LayoutBox::setOverrideLogicalContentHeight()
#4 0x7fbfe6a1ed1a blink::LayoutGrid::applyStretchAlignmentToChildIfNeeded()
#5 0x7fbfe6a1b0ae blink::LayoutGrid::layoutGridItems()
#6 0x7fbfe6a19ba9 blink::LayoutGrid::layoutBlock()
#7 0x7fbfe6967bcc blink::LayoutBlock::layout()
#8 0x7fbfe69812af blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded()
#9 0x7fbfe6981670 blink::LayoutBlockFlow::layoutBlockChild()
#10 0x7fbfe69803b4 blink::LayoutBlockFlow::layoutBlockChildren()
#11 0x7fbfe697e54e blink::LayoutBlockFlow::layoutChildren()
#12 0x7fbfe697dfb2 blink::LayoutBlockFlow::layoutBlock()
#13 0x7fbfe6967bcc blink::LayoutBlock::layout()
#14 0x7fbfe69812af blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded()
#15 0x7fbfe6981670 blink::LayoutBlockFlow::layoutBlockChild()
#16 0x7fbfe69803b4 blink::LayoutBlockFlow::layoutBlockChildren()
#17 0x7fbfe697e54e blink::LayoutBlockFlow::layoutChildren()
#18 0x7fbfe697dfb2 blink::LayoutBlockFlow::layoutBlock()
#19 0x7fbfe6967bcc blink::LayoutBlock::layout()
#20 0x7fbfe69812af blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded()
#21 0x7fbfe6981670 blink::LayoutBlockFlow::layoutBlockChild()
#22 0x7fbfe69803b4 blink::LayoutBlockFlow::layoutBlockChildren()
#23 0x7fbfe697e54e blink::LayoutBlockFlow::layoutChildren()
#24 0x7fbfe697dfb2 blink::LayoutBlockFlow::layoutBlock()
#25 0x7fbfe6967bcc blink::LayoutBlock::layout()
#26 0x7fbfe6acfbe2 blink::LayoutView::layoutContent()
#27 0x7fbfe6ad0437 blink::LayoutView::layout()
#28 0x7fbfe6410570 blink::FrameView::performLayout()
#29 0x7fbfe640d73b blink::FrameView::layout()
#30 0x7fbfe60102ac blink::Document::implicitClose()
#31 0x7fbfe6c3c202 blink::FrameLoader::checkCompleted()
#32 0x7fbfe601fb75 blink::Document::decrementLoadEventDelayCountAndCheckLoadEvent()
#33 0x7fbfe60d2817 blink::IncrementLoadEventDelayCount::clearAndCheckLoadEvent()
#34 0x7fbfe65e15d5 blink::HTMLStyleElement::dispatchPendingEvent()
bug-697317-reduced.html
238 bytes View Download

Comment 6 by r...@igalia.com, Mar 9 2017 

After taking a look I managed to reproduce it with and without quirk modes
(attaching new version).

The problem seems to be in: LayoutGrid::applyStretchAlignmentToChildIfNeeded()
Some printfs inside that method:
* stretchedLogicalHeight: 0.000000
* desiredLogicalHeight: 0.000000
* child.borderAndPaddingLogicalHeight(): 1.000000

This makes that the call to setOverrideLogicalContentHeight() go with -1,
and the first line is an ASSERT to check that height is >= 0.
bug-697317-reduced.html
187 bytes View Download

Comment 7 by r...@igalia.com, Mar 9 2017

Cc: svil...@igalia.com
Owner: r...@igalia.com
Status: Started (was: Assigned)
I've a simple patch to avoid this at:
https://codereview.chromium.org/2744593002/
Project Member

Comment 9 by ClusterFuzz, Mar 11 2017 

ClusterFuzz has detected this issue as fixed in range 455700:456019.

Detailed report: https://clusterfuzz.com/testcase?key=5495032670060544

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  height >= 0 in LayoutBox.cpp
  blink::LayoutBox::setOverrideLogicalContentHeight
  blink::LayoutGrid::applyStretchAlignmentToChildIfNeeded
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=443258:443393
Fixed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=455700:456019

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94DwROyExPiJeBJgLuZwVTiCyuxoZPFY30KSrl0tI-cWZ-rV840F2MHaEhN9NZ1YPDsBHWiYW4BIC9lbsFv_35-yBOOLfAKnzbJG7RRjiblhGNEm4bmn_1ks6nhJJQbJDJcEgueT6rvqOLusjH5NKkHzi6u0zur245KQJpwMBzZJXmv2u0M78eUKeE6cbZULUgR9C-LbLTOE5Yg4kywqNhwJJxWzZwRxNuI5RBoX6eKpWJkrN5-SRMkl3gtMuSMR9dXBeV-po8iUWEHavqTUSpzMMbNnp6IoTu9BSWWuTIMvQbIS1TOXIcBuB-soKw5E1b82Id7tnOFLTgF7n3KE8OeU_VNByg3mks5rPefM9DJd__9W1XlNPIeae4btxEFBo2HGFXoPiK83_hd59dC1xoTpuhmug?testcase_id=5495032670060544


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment