New issue
Advanced search Search tips

Issue 710087 link

Starred by 2 users
Status: Verified
Owner:
skobes@chromium.org
Closed: May 2017
Cc:
szager@chromium.org
ifratric@google.com
kojii@chromium.org
e...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::PaintLayerScrollableArea::ShouldPerformScrollAnchoring

Project Member Reported by ClusterFuzz, Apr 10 2017

Comment 1 by mummare...@chromium.org, Apr 11 2017

Cc: kojii@chromium.org szager@chromium.org e...@chromium.org
Components: Blink>Layout
Labels: Test-Layout Test-Predator-Wrong M-58
Could someone please take a look?.
Thank you.

Comment 2 by szager@chromium.org, Apr 11 2017

Owner: skobes@chromium.org

Comment 3 by mummare...@chromium.org, Apr 11 2017

Status: Assigned (was: Untriaged)
Project Member

Comment 4 by bugdroid1@chromium.org, Apr 29 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c566301a304c90ca1c1b05c9ed96e09b4c0392da

commit c566301a304c90ca1c1b05c9ed96e09b4c0392da
Author: skobes <skobes@chromium.org>
Date: Sat Apr 29 09:09:23 2017

Remove LayoutObject::LayerCreationAllowedForSubtree.

This method disallows PaintLayer creation inside a LayoutSVGHiddenContainer,
even for overflow-clipping elements that would normally require a PaintLayer.

This wreaks havoc in the layout code which assumes in numerous places that
HasOverflowClip() implies GetScrollableArea() != nullptr.

It was added in http://crrev.com/88e9d056 to fix a paint bug, but it seems
unnecessary now.  The svg/foreignObject layout tests all pass and the original
test case on http://wkbug.com/41386 still renders correctly after this change.

BUG= 710087 

Review-Url: https://codereview.chromium.org/2851763004
Cr-Commit-Position: refs/heads/master@{#468233}

[add] https://crrev.com/c566301a304c90ca1c1b05c9ed96e09b4c0392da/third_party/WebKit/LayoutTests/svg/foreignObject/overflow-clip-in-hidden-container-crash-expected.txt
[add] https://crrev.com/c566301a304c90ca1c1b05c9ed96e09b4c0392da/third_party/WebKit/LayoutTests/svg/foreignObject/overflow-clip-in-hidden-container-crash.html
[modify] https://crrev.com/c566301a304c90ca1c1b05c9ed96e09b4c0392da/third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp
[modify] https://crrev.com/c566301a304c90ca1c1b05c9ed96e09b4c0392da/third_party/WebKit/Source/core/layout/LayoutObject.cpp
[modify] https://crrev.com/c566301a304c90ca1c1b05c9ed96e09b4c0392da/third_party/WebKit/Source/core/layout/LayoutObject.h
Project Member

Comment 5 by ClusterFuzz, May 1 2017 

ClusterFuzz has detected this issue as fixed in range 468227:468252.

Detailed report: https://clusterfuzz.com/testcase?key=6641970190745600

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x0000000000e8
Crash State:
  blink::PaintLayerScrollableArea::ShouldPerformScrollAnchoring
  blink::LayoutBlock::GetLayout
  blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=418712:418732
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=468227:468252

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6641970190745600


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, May 1 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6641970190745600 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment