Issue metadata
Sign in to add a comment
|
Stack-overflow in blink::LayoutTable::UpdateLayout |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5637220957683712 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Stack-overflow Crash Address: 0xff309e20 Crash State: blink::LayoutTable::UpdateLayout blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded blink::LayoutBlockFlow::LayoutBlockChild Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=331388:331444 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5637220957683712 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jul 26 2017
Given the regression range I suspect this is the new multicolumn implementation. I found this does reproduce locally but I didn't minimize the testcase further to confirm this is multicolumn.
,
Jul 26 2017
Here it crashes with a 5713 object deep layout tree. Mostly tables involved. I don't see any multicol. Since the engine is recursive, and we have no maximum tree depth limit, we just run out of stack at some point. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by msrchandra@chromium.org
, Jul 25 2017Labels: M-60 Test-Predator-Wrong
Owner: pdr@chromium.org
Status: Assigned (was: Untriaged)