Issue 697438 link

Starred by 1 user

Issue metadata

Status:	Verified
Owner:	█ msten...@opera.com NOT IN USE
Closed:	Mar 2017
Cc:	█ msrchandra@chromium.org
Components:	Blink>Layout
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Reproducible Stability-Memory-AddressSanitizer Clusterfuzz M-57 ClusterFuzz-Verified Test-Predator-Correct-CLs

Floating-point-exception in blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset

Project Member Reported by ClusterFuzz, Mar 1 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4936430028849152

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset
  blink::LayoutFlowThread::pageRemainingLogicalHeightForOffset
  blink::LayoutBox::pageRemainingLogicalHeightForOffset
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=435881:435933

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv966ZuT9KA5PM6MMi5wMOWgWn3Qrjmfvo1rMuXVfHgqjjpVzZ1HVwl2m_IjY8T09TON0djQEmIZnQIkifiBor6hCfgXSdsDKguBHf8jlJbSC-1HZ2HCIc8ItPLGPggDZZwD6rsPUxyXLaM-G2GVYDlF7FwgB898YJsCsspJp5mJCWJ9Xu_RBiLaPtRRgtg3-38pmqNcZRQrmrtB8UppEANbC0VVZ8X_ztkTAA92nHDZLLJXwgvgvDdUzmbmoSAhDEX-1LGuNbojnBWhCBY6CsA16trIzaIaOou1PI0ql7oUGLsCqjxuvCMCgVNwLiYXopl2DdxIZ_C2J_kaDcIpLFsENQqdxCtYdEPI4U6pJ_cX_OgwILCI?testcase_id=4936430028849152


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Mar 1 2017

Cc: msrchandra@chromium.org
Components: Blink>Layout
Labels: M-57 Test-Predator-Correct-CLs
Owner: msten...@opera.com
Status: Assigned (was: Untriaged)

Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/506506eac78a8106c4e92866a59b8c724ddc8b88
Time: Fri Dec 02 11:50:25 2016
Lines 1632 of file LayoutBlockFlow.cpp which potentially caused crash are changed in this cl (frame #4, "blink::LayoutBlockFlow::adjustedMarginBeforeForPagination").
Minimum distance from crash line to modified line: 0. (file: LayoutBlockFlow.cpp, crashed on: 1632, modified: 1632).

@mstensho -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by msten...@opera.com, Mar 1 2017

Reproduced. First this, though:

[31622:31651:0301/205645.171269:255224255062:FATAL:Position.h(117)] Check failed: isOffsetInAnchor().

Comment 3 by msten...@opera.com, Mar 6 2017

tc.html
679 bytes View Download

Project Member

Comment 4 by ClusterFuzz, Mar 9 2017

ClusterFuzz has detected this issue as fixed in range 455091:455392.

Detailed report: https://clusterfuzz.com/testcase?key=4936430028849152

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset
  blink::LayoutFlowThread::pageRemainingLogicalHeightForOffset
  blink::LayoutBox::pageRemainingLogicalHeightForOffset
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=435881:435933
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=455091:455392

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv966ZuT9KA5PM6MMi5wMOWgWn3Qrjmfvo1rMuXVfHgqjjpVzZ1HVwl2m_IjY8T09TON0djQEmIZnQIkifiBor6hCfgXSdsDKguBHf8jlJbSC-1HZ2HCIc8ItPLGPggDZZwD6rsPUxyXLaM-G2GVYDlF7FwgB898YJsCsspJp5mJCWJ9Xu_RBiLaPtRRgtg3-38pmqNcZRQrmrtB8UppEANbC0VVZ8X_ztkTAA92nHDZLLJXwgvgvDdUzmbmoSAhDEX-1LGuNbojnBWhCBY6CsA16trIzaIaOou1PI0ql7oUGLsCqjxuvCMCgVNwLiYXopl2DdxIZ_C2J_kaDcIpLFsENQqdxCtYdEPI4U6pJ_cX_OgwILCI?testcase_id=4936430028849152


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 5 by ClusterFuzz, Mar 9 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)

ClusterFuzz testcase 4936430028849152 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

►

Issue 697438 link

Issue metadata

Floating-point-exception in blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset

Issue description

Comment 1 by msrchandra@chromium.org, Mar 1 2017

Comment 1 Deleted

Comment 2 by msten...@opera.com, Mar 1 2017

Comment 2 Deleted

Comment 3 by msten...@opera.com, Mar 6 2017

Comment 3 Deleted

Comment 4 by ClusterFuzz, Mar 9 2017

Comment 4 Deleted

Comment 5 by ClusterFuzz, Mar 9 2017

Comment 5 Deleted

Sign in to add a comment