CHECK failure: !curr_container->HasTransformRelatedProperty() in LayoutObject.cpp |
|||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5051218388058112 Fuzzer: marty_html_twiddler Job Type: linux_debug_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !curr_container->HasTransformRelatedProperty() in LayoutObject.cpp blink::LayoutObject::OffsetFromAncestorContainer blink::LayoutBoxModelObject::PushMappingToContainer Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=348333:348343 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5051218388058112 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 22 2017
r202106 is the only graphics/paint/transform related change in regression range. Over to qiankun.miao https://chromium.googlesource.com/chromium/blink/+/be75a8c8707bf623ba717982d64681b6d9b2e94d
,
Aug 22 2017
,
Aug 23 2017
The assigned owner "qiankun.miao@intel.com" is not able to receive e-mails, please re-triage. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 23 2017
,
Aug 29 2017
The check failure is due to a table section getting a transform but not being able to act as a container for absolute positioned children. The web seems to think it's legit to transform a table element so you can do things like 45 deg rotation on headers. So best thing might be to just ignore this or modify the assertion to address this specific situation. I'm trying the latter.
,
Aug 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/de3f9d3eb77a3653510eac5eceaa5104e16b9b38 commit de3f9d3eb77a3653510eac5eceaa5104e16b9b38 Author: Stephen Chenney <schenney@chromium.org> Date: Thu Aug 31 15:40:09 2017 Make Table Sections containers when transformed We have an assert in LayoutObject::OffsetFromAncestorContainer that the current container not have a transform property. But table sections are typically not containing blocks, yet may still have a transform. Make the code match our existing rendering (which works as expected) by making table sections containing blocks for style reasons. R=chrishtr@chromium.org Bug: 753614 Change-Id: If11be56215c765707ffdb59f3fa6fc60880f7e71 Reviewed-on: https://chromium-review.googlesource.com/641644 Commit-Queue: Stephen Chenney <schenney@chromium.org> Reviewed-by: Chris Harrelson <chrishtr@chromium.org> Cr-Commit-Position: refs/heads/master@{#498873} [add] https://crrev.com/de3f9d3eb77a3653510eac5eceaa5104e16b9b38/third_party/WebKit/LayoutTests/tables/table-transform-absolute-position-child-expected.png [add] https://crrev.com/de3f9d3eb77a3653510eac5eceaa5104e16b9b38/third_party/WebKit/LayoutTests/tables/table-transform-absolute-position-child.html [modify] https://crrev.com/de3f9d3eb77a3653510eac5eceaa5104e16b9b38/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp
,
Aug 31 2017
,
Sep 1 2017
ClusterFuzz has detected this issue as fixed in range 498864:498874. Detailed report: https://clusterfuzz.com/testcase?key=5051218388058112 Fuzzer: marty_html_twiddler Job Type: linux_debug_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !curr_container->HasTransformRelatedProperty() in LayoutObject.cpp blink::LayoutObject::OffsetFromAncestorContainer blink::LayoutBoxModelObject::PushMappingToContainer Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=348333:348343 Fixed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=498864:498874 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5051218388058112 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 1 2017
ClusterFuzz testcase 5051218388058112 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 1 2017
Reopening due to fix causing further problems.
,
Sep 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b2631f650b7d55052f7676101b22da81607096d2 commit b2631f650b7d55052f7676101b22da81607096d2 Author: Stephen Chenney <schenney@chromium.org> Date: Fri Sep 01 13:26:24 2017 Revert "Make Table Sections containers when transformed" This reverts commit de3f9d3eb77a3653510eac5eceaa5104e16b9b38. Reason for revert: Causes an unsafe typecast in LayoutObject::ContainerForFixedPosition. https://bugs.chromium.org/p/chromium/issues/detail?id=761126 Original change's description: > Make Table Sections containers when transformed > > We have an assert in LayoutObject::OffsetFromAncestorContainer that the > current container not have a transform property. But table sections are > typically not containing blocks, yet may still have a transform. Make > the code match our existing rendering (which works as expected) by > making table sections containing blocks for style reasons. > > R=chrishtr@chromium.org > > Bug: 753614 > Change-Id: If11be56215c765707ffdb59f3fa6fc60880f7e71 > Reviewed-on: https://chromium-review.googlesource.com/641644 > Commit-Queue: Stephen Chenney <schenney@chromium.org> > Reviewed-by: Chris Harrelson <chrishtr@chromium.org> > Cr-Commit-Position: refs/heads/master@{#498873} TBR=chrishtr@chromium.org,schenney@chromium.org Change-Id: Iab5f380d3f02715113dfb1dad9f7c94aec7221a1 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 753614 Reviewed-on: https://chromium-review.googlesource.com/647766 Reviewed-by: Stephen Chenney <schenney@chromium.org> Commit-Queue: Stephen Chenney <schenney@chromium.org> Cr-Commit-Position: refs/heads/master@{#499178} [delete] https://crrev.com/415c7de5f341f6ae55bb1335507e56f278adaa50/third_party/WebKit/LayoutTests/tables/table-transform-absolute-position-child-expected.png [delete] https://crrev.com/415c7de5f341f6ae55bb1335507e56f278adaa50/third_party/WebKit/LayoutTests/tables/table-transform-absolute-position-child.html [modify] https://crrev.com/b2631f650b7d55052f7676101b22da81607096d2/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp
,
Sep 7 2017
And Edge also will transform a raw <th> element.
,
Sep 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d64652149a36c56e404c114b7f948e8f8efaba46 commit d64652149a36c56e404c114b7f948e8f8efaba46 Author: Stephen Chenney <schenney@chromium.org> Date: Fri Sep 15 20:41:32 2017 Account for table sections with transforms in geometry mapping We have an assert in LayoutObject::OffsetFromAncestorContainer that the current container not have a transform property. But table sections are typically not containing blocks, yet may still have a transform. Make the code match our existing rendering (which works as expected) by catching the case in LayoutBoxModelObject::PushMappingToContainer and using a transform for the ancestor to container offset. All this is needed because we hit subsequent asserts if the computed bounds are not internally consistent. R=chrishtr@chromium.org BUG= 753614 Change-Id: Icd70e12def629addc625781dc4b140a18ce6942a Reviewed-on: https://chromium-review.googlesource.com/648027 Commit-Queue: Stephen Chenney <schenney@chromium.org> Reviewed-by: Chris Harrelson <chrishtr@chromium.org> Cr-Commit-Position: refs/heads/master@{#502355} [add] https://crrev.com/d64652149a36c56e404c114b7f948e8f8efaba46/third_party/WebKit/LayoutTests/compositing/geometry/transformed-abs-position-inside-composited-expected.png [add] https://crrev.com/d64652149a36c56e404c114b7f948e8f8efaba46/third_party/WebKit/LayoutTests/compositing/geometry/transformed-abs-position-inside-composited-expected.txt [add] https://crrev.com/d64652149a36c56e404c114b7f948e8f8efaba46/third_party/WebKit/LayoutTests/compositing/geometry/transformed-abs-position-inside-composited.html [add] https://crrev.com/d64652149a36c56e404c114b7f948e8f8efaba46/third_party/WebKit/LayoutTests/tables/table-transform-absolute-position-child-expected.png [add] https://crrev.com/d64652149a36c56e404c114b7f948e8f8efaba46/third_party/WebKit/LayoutTests/tables/table-transform-absolute-position-child-expected.txt [add] https://crrev.com/d64652149a36c56e404c114b7f948e8f8efaba46/third_party/WebKit/LayoutTests/tables/table-transform-absolute-position-child.html [modify] https://crrev.com/d64652149a36c56e404c114b7f948e8f8efaba46/third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp [modify] https://crrev.com/d64652149a36c56e404c114b7f948e8f8efaba46/third_party/WebKit/Source/core/layout/LayoutObject.cpp [modify] https://crrev.com/d64652149a36c56e404c114b7f948e8f8efaba46/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp
,
Sep 18 2017
,
Oct 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a208101a4bda35b311adf13c11ff802eea8127ef commit a208101a4bda35b311adf13c11ff802eea8127ef Author: Stephen Chenney <schenney@chromium.org> Date: Thu Oct 05 21:05:20 2017 Revert "Make Table Sections containers when transformed" This reverts commit de3f9d3eb77a3653510eac5eceaa5104e16b9b38. Reason for revert: Causes an unsafe typecast in LayoutObject::ContainerForFixedPosition. https://bugs.chromium.org/p/chromium/issues/detail?id=761126 BUG= 761126 Original change's description: > Make Table Sections containers when transformed > > We have an assert in LayoutObject::OffsetFromAncestorContainer that the > current container not have a transform property. But table sections are > typically not containing blocks, yet may still have a transform. Make > the code match our existing rendering (which works as expected) by > making table sections containing blocks for style reasons. > > R=chrishtr@chromium.org > > Bug: 753614 > Change-Id: If11be56215c765707ffdb59f3fa6fc60880f7e71 > Reviewed-on: https://chromium-review.googlesource.com/641644 > Commit-Queue: Stephen Chenney <schenney@chromium.org> > Reviewed-by: Chris Harrelson <chrishtr@chromium.org> > Cr-Commit-Position: refs/heads/master@{#498873} TBR=chrishtr@chromium.org, schenney@chromium.org (cherry picked from commit b2631f650b7d55052f7676101b22da81607096d2) Change-Id: Iab5f380d3f02715113dfb1dad9f7c94aec7221a1 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 753614 Reviewed-on: https://chromium-review.googlesource.com/647766 Reviewed-by: Stephen Chenney <schenney@chromium.org> Commit-Queue: Stephen Chenney <schenney@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#499178} Reviewed-on: https://chromium-review.googlesource.com/702954 Reviewed-by: Chris Harrelson <chrishtr@chromium.org> Cr-Commit-Position: refs/branch-heads/3202@{#600} Cr-Branched-From: fa6a5d87adff761bc16afc5498c3f5944c1daa68-refs/heads/master@{#499098} [delete] https://crrev.com/d1e6661b516321d271129f071cdad2beeb530b0d/third_party/WebKit/LayoutTests/tables/table-transform-absolute-position-child-expected.png [delete] https://crrev.com/d1e6661b516321d271129f071cdad2beeb530b0d/third_party/WebKit/LayoutTests/tables/table-transform-absolute-position-child.html [modify] https://crrev.com/a208101a4bda35b311adf13c11ff802eea8127ef/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by dtapu...@chromium.org
, Aug 21 2017