Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

wangxianzhu@ -- can you please help triage this and find the right owner? Thanks.

Let's go through the Blink>Layout triage process.

Add eae@ for triage.

eae@ -- this is a high severity security issue, so please triage this on priority. thanks.

There are no blink or even rendering process changes in the regression range and it does not reproduce.

Without either a way to reproduce or a regression range there really isn't much we can do.

eae@: Agree that the regression range looks wrong. 

When you say "it does not reproduce", are you using the ClusterFuzz reproduce tool (e.g. "clusterfuzz reproduce 5914353736613888")?

Loading the POC HTML in Canary (68.0.3405.0 on Windows) results in a crash; crash/a67d4ddb142aa083 with a slightly different crash stack. 

You are probably looking for a change made after 513865 (known good), but no later than 513886 (first known bad).
CHANGELOG URL:  https://chromium.googlesource.com/chromium/src/+log/4f31578028a9aff1f6535153d0dc0271889493dc..7a22edaa3ae7ef77e5d2499062bbccf24f1f5f1c

This looks suspect?
https://chromium.googlesource.com/chromium/src/+/7a22edaa3ae7ef77e5d2499062bbccf24f1f5f1c%5E%21/#F2

Bisecting against the continuous builds indeed shows https://chromium.googlesource.com/chromium/src/+/7a22edaa3ae7ef77e5d2499062bbccf24f1f5f1c as the culprit.

eae@ is currently out of office. 

kojii@, is this something you might be able to help with?

Assigning to culprit author. Robert, this is crashing in a bunch of places. can you please take a look or revert.

Can you please revert https://chromium-review.googlesource.com/c/chromium/src/+/1036489. i am getting conflicts during to i think code move to blink/.

ClusterFuzz has detected this issue as fixed in range 555009:555011.

Detailed report: https://clusterfuzz.com/testcase?key=5914353736613888

Fuzzer: inferno_twister
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x18350041c1f0
Crash State:
  Bad-cast to blink::LayoutBox from invalid vptr
  blink::LayoutBlockFlow::XPositionForFloatIncludingMargin
  blink::LayoutBlockFlow::AddOverflowFromFloats
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=531696:531702
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=555009:555011

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5914353736613888

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Bulls-eye!

 Issue 833235  has been merged into this issue.

 Issue 834628  has been merged into this issue.

We should definitely merge the revert, this is a bad regression, see list of dupes.
https://chromium-review.googlesource.com/c/chromium/src/+/1036856

This bug requires manual review: M67 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue 838534  has been merged into this issue.

This is one reason why i hate two things in layout - re-layout with floats, clearing of anonymous blocks. this is the floats one, eight years later, these uafs are still annoying (https://trac.webkit.org/search?q=inferno+float).

Good thing we're, finally, about to replace our float and clearance implementation :)

govind - yep, we should revert in 67 too

Approving merge for revert to M67 branch 3396 based on comments #25 and #31. Please do revert merge ASAP so we can pick it up for this week beta release. Thank you.

Merged into 3396 as dc36611260ea8e98f26e9384b0471531bd4d331e.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot