<ruby> with -webkit-rtl-ordering crashes during layout |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5081279545212928 Fuzzer: ochang_domfuzzer Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x00000000003d Crash State: blink::RootInlineBox::ClosestLeafChildForLogicalLeftPosition blink::NextLinePosition blink::NextParagraphPosition Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=481692:481741 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5081279545212928 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 12 2018
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Jun 12 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/0d68039ed1d0ef19d9af8e667c9fdd6656fb0299 (Hide atomic inline elements after an ellipsis). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jun 28 2018
Would you mind taking a look at this bug xiaochengh?
,
Jun 29 2018
A DCHECK is hit during layout: [1:1:0629/110516.508032:FATAL:layout_block_flow_line.cc(1188)] Check failed: resolver.GetPosition() == end_of_line. #0 0x000003c00afc base::debug::StackTrace::StackTrace() #1 0x000003b79a5b logging::LogMessage::~LogMessage() #2 0x0000060caf03 blink::LayoutBlockFlow::LayoutRunsAndFloatsInRange() #3 0x0000060c9a05 blink::LayoutBlockFlow::LayoutRunsAndFloats() #4 0x0000060cf5eb blink::LayoutBlockFlow::LayoutInlineChildren() #5 0x0000060acd94 blink::LayoutBlockFlow::LayoutChildren() #6 0x0000060ac3f9 blink::LayoutBlockFlow::UpdateBlockLayout() #7 0x00000609f246 blink::LayoutBlock::UpdateLayout() #8 0x0000060af9c8 blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded() #9 0x0000060afec0 blink::LayoutBlockFlow::LayoutBlockChild() #10 0x0000060ae8ac blink::LayoutBlockFlow::LayoutBlockChildren() #11 0x0000060acd83 blink::LayoutBlockFlow::LayoutChildren() #12 0x0000060ac3f9 blink::LayoutBlockFlow::UpdateBlockLayout() #13 0x00000609f246 blink::LayoutBlock::UpdateLayout() #14 0x000006182e89 blink::LayoutRubyRun::UpdateLayout() #15 0x0000060cf2f4 blink::LayoutBlockFlow::LayoutInlineChildren() #16 0x0000060acd94 blink::LayoutBlockFlow::LayoutChildren() #17 0x0000060ac3f9 blink::LayoutBlockFlow::UpdateBlockLayout() #18 0x00000609f246 blink::LayoutBlock::UpdateLayout() #19 0x0000060af9c8 blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded() #20 0x0000060afec0 blink::LayoutBlockFlow::LayoutBlockChild() #21 0x0000060ae8ac blink::LayoutBlockFlow::LayoutBlockChildren() #22 0x0000060acd83 blink::LayoutBlockFlow::LayoutChildren() #23 0x0000060ac3f9 blink::LayoutBlockFlow::UpdateBlockLayout() #24 0x00000609f246 blink::LayoutBlock::UpdateLayout() #25 0x0000060af9c8 blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded() #26 0x0000060afec0 blink::LayoutBlockFlow::LayoutBlockChild() #27 0x0000060ae8ac blink::LayoutBlockFlow::LayoutBlockChildren() #28 0x0000060acd83 blink::LayoutBlockFlow::LayoutChildren() #29 0x0000060ac3f9 blink::LayoutBlockFlow::UpdateBlockLayout() #30 0x0000061d0510 blink::LayoutView::UpdateBlockLayout() #31 0x00000609f246 blink::LayoutBlock::UpdateLayout() #32 0x0000061d084a blink::LayoutView::UpdateLayout() #33 0x000005ccf3fc blink::LocalFrameView::PerformLayout() #34 0x000005ccd070 blink::LocalFrameView::UpdateLayout() Minimized repro: <ruby style="-webkit-rtl-ordering:visual"> <rtc dir="ltr" style="-webkit-rtl-ordering:logical"> <rt>b x </rt> </rtc> </ruby> Note that it doesn't repro if the newline character before the </rt> tag is removed. Deprioritized to P3 due to usage of non-standard -webkit-rtl-ordering property. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Jun 12 2018