New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 800224 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jan 2018
Cc:
brajkumar@chromium.org
e...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Stack-overflow in blink::FindPlaceForCounter

Project Member Reported by ClusterFuzz, Jan 9 2018 
Detailed report: https://clusterfuzz.com/testcase?key=6613923720855552

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Stack-overflow
Crash Address: 0x7fff5b12cc80
Crash State:
  blink::FindPlaceForCounter
  blink::MakeCounterNodeIfNeeded
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=527656:527687

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6613923720855552

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Jan 9 2018

Components: Blink>Layout
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jan 9 2018

Labels: Test-Predator-Auto-Owner
Owner: mstensho@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/27b18238c5924137bee2cbfe1e8fe0c124c3de9b ([LayoutNG] Detect forced breaks even when out of space.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 3 by mstensho@chromium.org, Jan 9 2018

Labels: Test-Predator-Wrong-CLs
Owner: ----
Status: Untriaged (was: Assigned)
That CL only changes LayoutNG code, which isn't enabled by default.
Project Member

Comment 4 by ClusterFuzz, Jan 9 2018

Labels: OS-Linux

Comment 5 by brajkumar@chromium.org, Jan 10 2018

Cc: brajkumar@chromium.org
Labels: -Type-Bug M-65 Type-Bug-Regression
Owner: futhark@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.

Using Code Search for the file, "LayoutCounter.cpp" and observed there was some recent changes for the below file.

Suspect CL: https://chromium.googlesource.com/chromium/src/+/d857d94a8417ca19e240eff6cec2985feb770ee1%5E%21/third_party/WebKit/Source/core/layout/LayoutCounter.cpp

futhark@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

Comment 6 by futhark@chromium.org, Jan 12 2018

Cc: e...@chromium.org
Owner: ----
Status: Available (was: Assigned)
I did add an extra stack variable pointer in FindPlaceForCounter(). The change is not in the regression changelist, so it most likely isn't that.

It might be possible to get rid of the FindPlaceForCounter -> MakeCounterIfNeeded  recursion making it iterative, but I don't know.

Comment 7 by e...@chromium.org, Jan 16 2018

Status: WontFix (was: Available)
Probably not worth it.

Comment 8 by brajkumar@chromium.org, Jan 22 2018 

 Issue 804199  has been merged into this issue.
Project Member

Comment 9 by ClusterFuzz, Jan 23 2018

Labels: Needs-Feedback
ClusterFuzz testcase 6608045219250176 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

Comment 10 by brajkumar@chromium.org, Jan 31 2018 

 Issue 807472  has been merged into this issue.

Sign in to add a comment