Multiple linebreak InlineTextBoxes in one RootInlineBox |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4875093008973824 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x00000000003d Crash State: blink::RootInlineBox::ClosestLeafChildForLogicalLeftPosition blink::LayoutBlockFlow::PositionForPoint blink::LayoutBlock::PositionForPointRespectingEditingBoundaries Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=470489:470517 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4875093008973824 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Mar 6 2018
Unable to find actual suspect through code search and also from the provided CL under regression range, hence adding appropriate label and requesting some one from layout team to look in to this issue. Thanks!
,
Mar 6 2018
,
Mar 13 2018
The stack trace contains LayoutObject::PositionForPoint(). I'll take a look.
,
Mar 14 2018
We got multiple line-break InlineTextBoxes in a RootInlineBox. Is this ever allowed?
LayoutBlockFlow (anonymous) 0x18a6a861ac00
* RootInlineBox 0x18a6a86588a8 LayoutBlockFlow (anonymous) 0x18a6a861ac00 {pos=762,135 size=7,19} baseline=15/10
InlineFlowBox 0x18a6a8648140 LayoutInline 0x18a6a8624790 {pos=762,135 size=0,19} baseline=15/10
InlineTextBox 0x18a6a8644610 LayoutText 0x18a6a86324a0 (0,1) "\n"
InlineTextBox 0x18a6a8644690 LayoutText 0x18a6a86328b0 (0,1) "\n"
InlineBox 0x18a6a8668218 LayoutEmbeddedObject 0x18a6a86c4010 {pos=762,0 size=7,150} baseline=150/75
InlineTextBox 0x18a6a8644590 LayoutText 0x18a6a8632980 (0,1) "\n"
,
Mar 19 2018
Talked to kojii@ offline. We shouldn't have more than one linebreak InlineTextBox in one RootInlineBox. This is a bug in legacy inline layout. Releasing the bug as it doesn't seem easy to fix, and doesn't seem important, either.
,
Apr 24 2018
ClusterFuzz has detected this issue as fixed in range 552765:552787. Detailed report: https://clusterfuzz.com/testcase?key=4875093008973824 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x00000000003d Crash State: blink::RootInlineBox::ClosestLeafChildForLogicalLeftPosition blink::LayoutBlockFlow::PositionForPoint blink::LayoutBlock::PositionForPointRespectingEditingBoundaries Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=470489:470517 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=552765:552787 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4875093008973824 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 24 2018
ClusterFuzz testcase 4875093008973824 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Mar 6 2018Labels: Test-Predator-Auto-Components