Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Before I get to the crash, I got a bunch of failing !NeedsLayout() DCHECKs. I wrote a reduction for that, and ended up with:

<!-- quirks mode required -->
<div style="columns:22mm; position:fixed;">
  <video style="position:fixed;"></video>
</div>

But now it doesn't crash in multicol afterwards anymore. Need to figure out if the two problems are related or not.

No, that seems unrelated. Turns out multicol isn't even required for the DCHECK failure.

<!-- Need quirks mode, though -->
<div style="position:fixed;">
  <div>
    <video style="position:fixed;"></video>
  </div>
</div>

There's a nested flexbox generated inside the VIDEO. Reported bug 841276 for this unrelated issue.

Need to try reducing this one again, without stumbling across unrelated bugs.

Here's a proper reduction. Hopefully it can be reduced further, though.

Deleted: tc-actual.html 689 bytes

tc-actual.html 689 bytes View Download

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f47b628e85e5195efc1f152c2bc7a19d20c85fa0

commit f47b628e85e5195efc1f152c2bc7a19d20c85fa0
Author: Morten Stenshorne <mstensho@chromium.org>
Date: Tue May 15 17:49:30 2018

FRAME and FRAMESET should always be in-flow (and non-floating).

Frames and framesets ignore display:none, and will render no matter
what. The style adjuster would check for display != none, before
attempting to adjust, and would therefore just do nothing and accept
whatever.

We only used to override display and position (force to "block" and
"static", respectively). Additionally force "float" to "none", as
framesets are really unsuitable containing blocks, since they inherit
from LayoutBox rather than LayoutBlockFlow. So, putting anything exotic
inside is potentially dangerous. It confused the layout engine in
general, and also managed to trick the multicol machinery into treating
a floated frame child of an absolutely positioned frameset parent as
column content.

Bug:  840986 
Change-Id: I08d2e8823c88fb3b690d71d4fac275377d082e64
Reviewed-on: https://chromium-review.googlesource.com/1059618
Reviewed-by: Rune Lillesveen <futhark@chromium.org>
Commit-Queue: Morten Stenshorne <mstensho@chromium.org>
Cr-Commit-Position: refs/heads/master@{#558768}
[add] https://crrev.com/f47b628e85e5195efc1f152c2bc7a19d20c85fa0/third_party/WebKit/LayoutTests/fast/frames/abspos-display-none-frameset-crash.html
[add] https://crrev.com/f47b628e85e5195efc1f152c2bc7a19d20c85fa0/third_party/WebKit/LayoutTests/fast/multicol/abspos-display-none-frameset-crash.html
[modify] https://crrev.com/f47b628e85e5195efc1f152c2bc7a19d20c85fa0/third_party/blink/renderer/core/css/resolver/style_adjuster.cc

ClusterFuzz has detected this issue as fixed in range 558766:558771.

Detailed report: https://clusterfuzz.com/testcase?key=5916338045059072

Fuzzer: puzzor
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::LayoutMultiColumnFlowThread::FlowThreadDescendantWillBeRemoved
  blink::LayoutObject::RemoveFromLayoutFlowThreadRecursive
  blink::LayoutObject::WillBeRemovedFromTree
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=523898:523900
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=558766:558771

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5916338045059072

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5916338045059072 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.