false. Can't find cached display item in PaintController.cpp |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4584235311824896 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: false. Can't find cached display item in PaintController.cpp blink::PaintController::findOutOfOrderCachedItemForward blink::PaintController::findCachedItem Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=416257:416300 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95NF81CUhclZmE-s3JC9Z1DSsIEmYWJ7otf9ED6_s8Zz_mnu0gBerYmqZqsl-KUei1k70tF3-7NVr6YllFchkvkcHSsxikHFx93igxuaI3riASwRE1QHZVFeb-LQYsbQ8OXtKfXXjEKRPAWGOIu-eIYoA5OlBJKTPtKedBwzL2_Nwd_ZW3Hbhh7Pn2R0NA5TKoWBFVBRo2t9zcS-6HLEXaoWv85aZkIkaQThXT58EJclO_ONiTO8MtiCCebIIoezvJOW4sJjhQUcOClED5dnn8pKo8a-d7eUKxUCcphGPf3TG1Nng17XleeUlc9pV53qCuVB_-IrK56rAxtU-sNkttvZsBt9A75NPjLSPVSUdTHSim0pB0?testcase_id=4584235311824896 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 8 2017
,
Mar 9 2017
,
Mar 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b3ea2018ada2075038a527e4b855c9cc3fd24625 commit b3ea2018ada2075038a527e4b855c9cc3fd24625 Author: wangxianzhu <wangxianzhu@chromium.org> Date: Thu Mar 09 17:17:19 2017 Fix wrong display item type for drag caret The bug seems to have been there since we added DisplayItem::kCaret. This breaks under-invalidation checking itself only. It won't cause any visible issue to release builds, except small performance penalty that the drag caret is always repainted because of no match in the cache with the wrong id. BUG= 699480 Review-Url: https://codereview.chromium.org/2742693002 Cr-Commit-Position: refs/heads/master@{#455778} [add] https://crrev.com/b3ea2018ada2075038a527e4b855c9cc3fd24625/third_party/WebKit/LayoutTests/paint/selection/drag-caret.html [modify] https://crrev.com/b3ea2018ada2075038a527e4b855c9cc3fd24625/third_party/WebKit/Source/core/editing/CaretDisplayItemClient.cpp
,
Mar 9 2017
,
Mar 10 2017
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), bhthompson@(cros), govind@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 10 2017
Your change is approved for M58. Please ensure whether this fix is verified in canary. If yes, please merge ASAP so that it will be picked up for next Dev release.
,
Mar 11 2017
ClusterFuzz has detected this issue as fixed in range 455700:456031. Detailed report: https://clusterfuzz.com/testcase?key=4584235311824896 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: false. Can't find cached display item in PaintController.cpp blink::PaintController::findOutOfOrderCachedItemForward blink::PaintController::findCachedItem Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=416257:416300 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=455700:456031 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95NF81CUhclZmE-s3JC9Z1DSsIEmYWJ7otf9ED6_s8Zz_mnu0gBerYmqZqsl-KUei1k70tF3-7NVr6YllFchkvkcHSsxikHFx93igxuaI3riASwRE1QHZVFeb-LQYsbQ8OXtKfXXjEKRPAWGOIu-eIYoA5OlBJKTPtKedBwzL2_Nwd_ZW3Hbhh7Pn2R0NA5TKoWBFVBRo2t9zcS-6HLEXaoWv85aZkIkaQThXT58EJclO_ONiTO8MtiCCebIIoezvJOW4sJjhQUcOClED5dnn8pKo8a-d7eUKxUCcphGPf3TG1Nng17XleeUlc9pV53qCuVB_-IrK56rAxtU-sNkttvZsBt9A75NPjLSPVSUdTHSim0pB0?testcase_id=4584235311824896 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 11 2017
ClusterFuzz testcase 4584235311824896 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 12 2017
Please merge your change to M58 branch 3029 before 5:00 PM PT, Monday (03/13/17) so we can take it in for next week dev release. Thank you!
,
Mar 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/db27876368a5427dc351c6cb0a7c5f16718fd3be commit db27876368a5427dc351c6cb0a7c5f16718fd3be Author: wangxianzhu <wangxianzhu@chromium.org> Date: Sun Mar 12 02:11:59 2017 Fix wrong display item type for drag caret The bug seems to have been there since we added DisplayItem::kCaret. This breaks under-invalidation checking itself only. It won't cause any visible issue to release builds, except small performance penalty that the drag caret is always repainted because of no match in the cache with the wrong id. BUG= 699480 TBR=wangxianzhu@chromium.org NOTRY=true NOPRESUBMIT=true Review-Url: https://codereview.chromium.org/2742693002 Cr-Original-Commit-Position: refs/heads/master@{#455778} Review-Url: https://codereview.chromium.org/2741853009 Cr-Commit-Position: refs/branch-heads/3029@{#133} Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471} [add] https://crrev.com/db27876368a5427dc351c6cb0a7c5f16718fd3be/third_party/WebKit/LayoutTests/paint/selection/drag-caret.html [modify] https://crrev.com/db27876368a5427dc351c6cb0a7c5f16718fd3be/third_party/WebKit/Source/core/editing/CaretDisplayItemClient.cpp |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by durga.behera@chromium.org
, Mar 8 2017Labels: M-57 Test-Predator-Correct-Regression
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Untriaged)