Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5472051222806528 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: m_fragmentainerGroups.size() == 1 in LayoutMultiColumnSet.cpp blink::LayoutMultiColumnSet::pageLogicalHeightForOffset blink::LayoutFlowThread::pageLogicalHeightForOffset Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=384799:384804 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97wb_bPMi10JqWc5TEdsqfJQ3c15Q7BaWiODS8_a48fO4ZcHgFTuxiBygDCTyax95QMXvik_ln9SF6UgBefbegl0hA6yx-jHzxZmhWO76mfBoQCJBvQtDGHgwCXJgvzVFODbMxMelEESXco6EUbYipM29cODX0hyqXt7cMCYnOASPTREFiHORXH5iRrh_nweoNEE4-GEWTQeDqtCVVcCxYOpaSCONvdJGDzbp7R55vxOvYwpLDMIMqZQx--8fRNZ0xL3BKF7MaUnlbXhW4hgjgXVX8y-GdAZfd9FegCG6hxWms7J_-0bFb2GtJMAJHMEvUhTyh5UB9AkzSIi_i_pO7RoJuGMuVjB-R4kc6p-nuGEXc2LRU?testcase_id=5472051222806528 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Through code search on file LayoutMultiColumnSet.cpp, suspected CL is https://chromium.googlesource.com/chromium/src/+/7fa349e632a44c152b05ca6a66ade5f2e5b3f139 mstensho@, could you please take a look? Thank you.
Not caused by the suspected CL, but it's mine anyway.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2fa8cb1b82fe741f526a5009f17b03158349e681 commit 2fa8cb1b82fe741f526a5009f17b03158349e681 Author: mstensho <mstensho@opera.com> Date: Tue Mar 07 05:49:14 2017 Allow zero-height fragmentainers. We used to assert against this, but we really can't, since there are legitimiate reasons for a fragmentainer (and fragmentainer groups and column sets) to have zero height, e.g. when its content is zero-height. BUG= 698359 Review-Url: https://codereview.chromium.org/2737503002 Cr-Commit-Position: refs/heads/master@{#455040} [add] https://crrev.com/2fa8cb1b82fe741f526a5009f17b03158349e681/third_party/WebKit/LayoutTests/fast/multicol/zero-height-inner-multicol-at-boundary-crash.html [modify] https://crrev.com/2fa8cb1b82fe741f526a5009f17b03158349e681/third_party/WebKit/Source/core/layout/LayoutMultiColumnSet.cpp [modify] https://crrev.com/2fa8cb1b82fe741f526a5009f17b03158349e681/third_party/WebKit/Source/core/layout/MultiColumnFragmentainerGroup.cpp
ClusterFuzz has detected this issue as fixed in range 454873:455044. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5472051222806528 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: m_fragmentainerGroups.size() == 1 in LayoutMultiColumnSet.cpp blink::LayoutMultiColumnSet::pageLogicalHeightForOffset blink::LayoutFlowThread::pageLogicalHeightForOffset Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=384799:384804 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=454873:455044 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97wb_bPMi10JqWc5TEdsqfJQ3c15Q7BaWiODS8_a48fO4ZcHgFTuxiBygDCTyax95QMXvik_ln9SF6UgBefbegl0hA6yx-jHzxZmhWO76mfBoQCJBvQtDGHgwCXJgvzVFODbMxMelEESXco6EUbYipM29cODX0hyqXt7cMCYnOASPTREFiHORXH5iRrh_nweoNEE4-GEWTQeDqtCVVcCxYOpaSCONvdJGDzbp7R55vxOvYwpLDMIMqZQx--8fRNZ0xL3BKF7MaUnlbXhW4hgjgXVX8y-GdAZfd9FegCG6hxWms7J_-0bFb2GtJMAJHMEvUhTyh5UB9AkzSIi_i_pO7RoJuGMuVjB-R4kc6p-nuGEXc2LRU?testcase_id=5472051222806528 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by mummare...@chromium.org
, Mar 3 2017Labels: Test-Predator-Wrong M-57
Owner: msten...@opera.com
Status: Assigned (was: Untriaged)