CHECK failure: column_index + 1 == ActualColumnCount() in MultiColumnFragmentainerGroup.cpp |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6230959503704064 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: column_index + 1 == ActualColumnCount() in MultiColumnFragmentainerGroup.cpp blink::MultiColumnFragmentainerGroup::LogicalHeightInFlowThreadAt blink::MultiColumnFragmentainerGroup::FlowThreadPortionRectAt Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=443258:443393 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6230959503704064 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 13 2017
,
Jun 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ea96b6a0a3151c77d778f0ea113c9c3a7b43bdd1 commit ea96b6a0a3151c77d778f0ea113c9c3a7b43bdd1 Author: Morten Stenshorne <mstensho@opera.com> Date: Wed Jun 14 17:37:01 2017 Relax a DCHECK: Column indices out of bounds are fine here. Just let MultiColumnFragmentainerGroup::LogicalHeightInFlowThreadAt() return 0 if the column index is past the end. The last column *within* bounds will get its height clamped against the bottom of the flow thread, like before. BUG= 732030 Change-Id: Icd0c8d77f73a02b69a27f24ca70b7b0a023c28dd Reviewed-on: https://chromium-review.googlesource.com/533016 Reviewed-by: Emil A Eklund <eae@chromium.org> Commit-Queue: Morten Stenshorne <mstensho@opera.com> Cr-Commit-Position: refs/heads/master@{#479436} [add] https://crrev.com/ea96b6a0a3151c77d778f0ea113c9c3a7b43bdd1/third_party/WebKit/LayoutTests/fast/multicol/client-rect-trailing-column.html [modify] https://crrev.com/ea96b6a0a3151c77d778f0ea113c9c3a7b43bdd1/third_party/WebKit/Source/core/layout/MultiColumnFragmentainerGroup.cpp
,
Jun 14 2017
,
Jun 15 2017
ClusterFuzz has detected this issue as fixed in range 479432:479446. Detailed report: https://clusterfuzz.com/testcase?key=6230959503704064 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: column_index + 1 == ActualColumnCount() in MultiColumnFragmentainerGroup.cpp blink::MultiColumnFragmentainerGroup::LogicalHeightInFlowThreadAt blink::MultiColumnFragmentainerGroup::FlowThreadPortionRectAt Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=443258:443393 Fixed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=479432:479446 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6230959503704064 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||
►
Sign in to add a comment |
|||
Comment 1 by msrchandra@chromium.org
, Jun 12 2017Labels: Test-Predator-Wrong M-59
Owner: msten...@opera.com
Status: Assigned (was: Untriaged)