New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 730046 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Not working on Chrome any more
Closed: Jun 2017
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Regression



Sign in to add a comment

CHECK failure: before_descendant_container->IsAnonymous() in LayoutBlock.cpp

Project Member Reported by ClusterFuzz, Jun 6 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6729400212258816

Fuzzer: bj_broddelwerk
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  before_descendant_container->IsAnonymous() in LayoutBlock.cpp
  blink::LayoutBlock::AddChildBeforeDescendant
  blink::LayoutTreeBuilderForText::CreateLayoutObject
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=477230:477239

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6729400212258816


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: ranjitkan@chromium.org
Labels: -Type-Bug M-61 Test-Predator-Wrong Type-Bug-Regression
Owner: meade@chromium.org
Status: Assigned (was: Untriaged)
Predator could not find any suspected culprit:

From the regression range provided:
https://chromium.googlesource.com/chromium/src/+log/d68f294b5c23f5b973d9391007c872751cfe49b3..5f917947505fc4acadefa5eae4fd8c0249ad5d84?pretty=fuller

Suspecting below change could be a possible culprit:
https://chromium.googlesource.com/chromium/src/+/5f917947505fc4acadefa5eae4fd8c0249ad5d84

meade@: Assigning to you, kindly take a look into it. Please help us to find an owner if not with respect to your change.

Thanks.!
Project Member

Comment 2 by ClusterFuzz, Jun 8 2017

ClusterFuzz has detected this issue as fixed in range 477541:477555.

Detailed report: https://clusterfuzz.com/testcase?key=6729400212258816

Fuzzer: bj_broddelwerk
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  before_descendant_container->IsAnonymous() in LayoutBlock.cpp
  blink::LayoutBlock::AddChildBeforeDescendant
  blink::LayoutTreeBuilderForText::CreateLayoutObject
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=477230:477239
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=477541:477555

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6729400212258816


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by ClusterFuzz, Jun 8 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6729400212258816 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment