Null-dereference READ in blink::BaselineContext::FindCompatibleSharedGroup |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5209204256931840 Fuzzer: inferno_twister Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x00000000000c Crash State: blink::BaselineContext::FindCompatibleSharedGroup blink::GridBaselineAlignment::GetBaselineGroupForChild blink::GridBaselineAlignment::BaselineOffsetForChild Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=562405:562407 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5209204256931840 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 22 2018
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Jun 22 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/6534acd9b94a260ccf88ccdfd7ab8b3859349082 ([css-grid] Baseline alignment inside the tracks sizing algorithm). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jun 22 2018
Bug confirmed and reproduced. Attached a simplified test case. The root cause is a style change on a grid item so that any of its Self Alignment properties become 'baseline'. We have a DCHECK to ensure items that were not participating in baseline when we compute the shared Baseline Context's offsets can't participate later in any of the layout operations of the grid. Since changing the Self Alignment properties of a grid item doesn't imply a full-layout of the grid it belongs to, a test case like the one described in this bug report may lead a violation of the above mentioned DCHECK.
,
Jun 25 2018
The root cause of this issue is how we evaluate fr tracks as intrinsic-sized when the containing block has indefinite size. This situation varies before and during the track sizing algorithm, which leads to the DCHECK failure. Attached a simpler test case.
,
Jun 29 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8a1278f52ab0fee239f58b232b4fcd765e6c36d4 commit 8a1278f52ab0fee239f58b232b4fcd765e6c36d4 Author: Javier Fernandez <jfernandez@igalia.com> Date: Fri Jun 29 08:32:25 2018 [css-grid] Compute baseline alignment offsets for each axis Flexible tracks should be considered as content-sized if the grid is laid out under indefinite size constraints. We only know this while running the track sizing algorithm for each direction, hence we should apply the same pattern for the Baseline Alignment offsets computation. Bug: 855568 Change-Id: Icfc9f3cefc70ab87004a772ac97b60e97b97249d Reviewed-on: https://chromium-review.googlesource.com/1113933 Commit-Queue: Javier Fernandez <jfernandez@igalia.com> Reviewed-by: Manuel Rego Casasnovas <rego@igalia.com> Cr-Commit-Position: refs/heads/master@{#571424} [add] https://crrev.com/8a1278f52ab0fee239f58b232b4fcd765e6c36d4/third_party/WebKit/LayoutTests/fast/css-grid-layout/grid-self-baseline-and-flexible-tracks-should-not-crash.html [modify] https://crrev.com/8a1278f52ab0fee239f58b232b4fcd765e6c36d4/third_party/blink/renderer/core/layout/grid_baseline_alignment.cc [modify] https://crrev.com/8a1278f52ab0fee239f58b232b4fcd765e6c36d4/third_party/blink/renderer/core/layout/grid_baseline_alignment.h [modify] https://crrev.com/8a1278f52ab0fee239f58b232b4fcd765e6c36d4/third_party/blink/renderer/core/layout/grid_track_sizing_algorithm.cc [modify] https://crrev.com/8a1278f52ab0fee239f58b232b4fcd765e6c36d4/third_party/blink/renderer/core/layout/grid_track_sizing_algorithm.h [modify] https://crrev.com/8a1278f52ab0fee239f58b232b4fcd765e6c36d4/third_party/blink/renderer/core/layout/layout_grid.cc
,
Jun 29 2018
This issue should be FIXED now.
,
Jun 30 2018
ClusterFuzz has detected this issue as fixed in range 571423:571424. Detailed report: https://clusterfuzz.com/testcase?key=5209204256931840 Fuzzer: inferno_twister Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x00000000000c Crash State: blink::BaselineContext::FindCompatibleSharedGroup blink::GridBaselineAlignment::GetBaselineGroupForChild blink::GridBaselineAlignment::BaselineOffsetForChild Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=562405:562407 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=571423:571424 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5209204256931840 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 30 2018
ClusterFuzz testcase 5209204256931840 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Jun 22 2018