New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 748388 link

Starred by 1 user
Status: Duplicate
Merged: issue 531399
Owner:
msten...@opera.com
NOT IN USE
Closed: Jul 2017
Cc:
pdr@chromium.org
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug



Sign in to add a comment

Stack-overflow in blink::LayoutTable::UpdateLayout

Project Member Reported by ClusterFuzz, Jul 25 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5637220957683712

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0xff309e20
Crash State:
  blink::LayoutTable::UpdateLayout
  blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded
  blink::LayoutBlockFlow::LayoutBlockChild
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=331388:331444

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5637220957683712


Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by msrchandra@chromium.org, Jul 25 2017

Cc: msrchandra@chromium.org
Labels: M-60 Test-Predator-Wrong
Owner: pdr@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL did not provide any possible suspects.
Using Code Search for the file, "LayoutTable.cpp" assigning to concern owner.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/3b825bde118a19baa2d913ed350b62656cb2abf7

@pdr -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by pdr@chromium.org, Jul 26 2017

Cc: pdr@chromium.org
Components: Blink>Layout
Labels: -OS-Linux OS-All
Owner: msten...@opera.com
Given the regression range I suspect this is the new multicolumn implementation. I found this does reproduce locally but I didn't minimize the testcase further to confirm this is multicolumn.
crash.html
2.3 KB View Download

Comment 3 by msten...@opera.com, Jul 26 2017

Mergedinto: 531399
Status: Duplicate (was: Assigned)
Here it crashes with a 5713 object deep layout tree. Mostly tables involved. I don't see any multicol.

Since the engine is recursive, and we have no maximum tree depth limit, we just run out of stack at some point.

Sign in to add a comment