CHECK failure: i < size() in Vector.h |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4877083535998976 Fuzzer: marty_html_twiddler Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: i < size() in Vector.h blink::LayoutTableSection::UpdateLogicalWidthForCollapsedCells blink::LayoutTable::UpdateLayout Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=496775:496804 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4877083535998976 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 1 2017
,
Sep 1 2017
,
Sep 1 2017
Pretty sure this has been fixed, requesting a re-run.
,
Sep 6 2017
Still broken, over to dgrogan.
,
Sep 19 2017
Lowering Pri because it requires --enable-experimental-web-platform-features to be triggered.
,
Sep 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/dc902f206d55e0d226fb7072ad383d1c2974073f commit dc902f206d55e0d226fb7072ad383d1c2974073f Author: David Grogan <dgrogan@chromium.org> Date: Thu Sep 28 22:21:16 2017 [css-tables] Fix crash in column collapsing An off-by-one error could leave an empty spot for a cell at the end of each row in a section's grid_. The 14 existing callers of section->NumCols(row) all had null checks that effectively ignored empty cells via one of the methods below. section->OriginatingCellAt(r,c) section->GridCellAt(r,c).PrimaryCell() section->GridCellAt(r,c).HasCells() I suspect the column collapsing code that exposed this is also buggy but I'll follow that up in a future patch. Bug: 761192 Change-Id: Ifac74a0189ad50f1bcfc44343fd644d3baa12c44 Reviewed-on: https://chromium-review.googlesource.com/688752 Reviewed-by: Morten Stenshorne <mstensho@opera.com> Commit-Queue: David Grogan <dgrogan@chromium.org> Cr-Commit-Position: refs/heads/master@{#505191} [add] https://crrev.com/dc902f206d55e0d226fb7072ad383d1c2974073f/third_party/WebKit/LayoutTests/fast/table/split-effective-column-visibility-collapse-crash.html [modify] https://crrev.com/dc902f206d55e0d226fb7072ad383d1c2974073f/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp
,
Sep 29 2017
ClusterFuzz has detected this issue as fixed in range 505159:505194. Detailed report: https://clusterfuzz.com/testcase?key=4877083535998976 Fuzzer: marty_html_twiddler Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: i < size() in Vector.h blink::LayoutTableSection::UpdateLogicalWidthForCollapsedCells blink::LayoutTable::UpdateLayout Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=496775:496804 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=505159:505194 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4877083535998976 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 29 2017
ClusterFuzz testcase 4877083535998976 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by tkent@chromium.org
, Sep 1 2017