CHECK failure: i < size() in Vector.h |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4566547778764800 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: i < size() in Vector.h blink::GridTrackSizingAlgorithm::RawGridTrackSize blink::GridTrackSizingAlgorithm::GetGridTrackSize Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=466662:466694 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4566547778764800 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 14 2017
,
May 14 2017
Possible the change in https://crrev.com/2834473003 is the root cause of this bug.
,
May 15 2017
I've a reduced test case and I can reproduce it in M58 too, so it's probably unrelated to that change. It's reproducible on a regular build, no need of ASAN build. The reduced test case uses "repeat(auto-fill)", so probably @svillar is the right person to look into it anyway.
,
May 15 2017
OK, I'll take a look. Thanks for the awesome analysis.
,
May 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b3a11019e6709be450e8dc92130e53920c0e5717 commit b3a11019e6709be450e8dc92130e53920c0e5717 Author: svillar <svillar@igalia.com> Date: Wed May 17 09:30:33 2017 [css-grid] Properly reset auto repeat style attributes All the auto repeat attributes stored in ComputedStyle were not properly initialized/set up whenever initial or inherit were used in grid-template-{columns|rows}. This means that any previous value would be incorrectly used by the grid layout logic like for example to compute the number of auto repeat tracks. This was causing crashes as we were trying to access invalid indexes in the Vectors storing the style information for tracks. BUG= 722054 Review-Url: https://codereview.chromium.org/2885003002 Cr-Commit-Position: refs/heads/master@{#472396} [add] https://crrev.com/b3a11019e6709be450e8dc92130e53920c0e5717/third_party/WebKit/LayoutTests/fast/css-grid-layout/grid-auto-repeat-inherit-initial-crash-expected.txt [add] https://crrev.com/b3a11019e6709be450e8dc92130e53920c0e5717/third_party/WebKit/LayoutTests/fast/css-grid-layout/grid-auto-repeat-inherit-initial-crash.html [modify] https://crrev.com/b3a11019e6709be450e8dc92130e53920c0e5717/third_party/WebKit/Source/build/scripts/templates/StyleBuilderFunctions.cpp.tmpl
,
May 17 2017
Bug should be fixed now.
,
May 18 2017
ClusterFuzz has detected this issue as fixed in range 472378:472409. Detailed report: https://clusterfuzz.com/testcase?key=4566547778764800 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: i < size() in Vector.h blink::GridTrackSizingAlgorithm::RawGridTrackSize blink::GridTrackSizingAlgorithm::GetGridTrackSize Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=466662:466694 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=472378:472409 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4566547778764800 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 18 2017
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e50c18655716345368c5d6ce1c3c954546ac585b commit e50c18655716345368c5d6ce1c3c954546ac585b Author: Sergio Villar Senin <svillar@igalia.com> Date: Fri May 19 08:38:17 2017 [css-grid] Properly reset auto repeat style attributes All the auto repeat attributes stored in ComputedStyle were not properly initialized/set up whenever initial or inherit were used in grid-template-{columns|rows}. This means that any previous value would be incorrectly used by the grid layout logic like for example to compute the number of auto repeat tracks. This was causing crashes as we were trying to access invalid indexes in the Vectors storing the style information for tracks. BUG= 722054 Review-Url: https://codereview.chromium.org/2885003002 Cr-Original-Commit-Position: refs/heads/master@{#472396} Review-Url: https://codereview.chromium.org/2896533003 . Cr-Commit-Position: refs/branch-heads/3071@{#627} Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641} [add] https://crrev.com/e50c18655716345368c5d6ce1c3c954546ac585b/third_party/WebKit/LayoutTests/fast/css-grid-layout/grid-auto-repeat-inherit-initial-crash-expected.txt [add] https://crrev.com/e50c18655716345368c5d6ce1c3c954546ac585b/third_party/WebKit/LayoutTests/fast/css-grid-layout/grid-auto-repeat-inherit-initial-crash.html [modify] https://crrev.com/e50c18655716345368c5d6ce1c3c954546ac585b/third_party/WebKit/Source/build/scripts/templates/StyleBuilderFunctions.cpp.tmpl |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by tkent@chromium.org
, May 14 2017