New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 857266 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner: ----
Closed: Aug 22
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 3
Type: Bug



Sign in to add a comment

Stack-overflow in blink::PositionWithAffinityTemplate<blink::EditingAlgorithm<blink::NodeTraversal

Project Member Reported by ClusterFuzz, Jun 27 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6029023118098432

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7fff6e58df38
Crash State:
  blink::PositionWithAffinityTemplate<blink::EditingAlgorithm<blink::NodeTraversal
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=570790:570791

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6029023118098432

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jun 27 2018

Components: Blink>MemoryAllocator>Partition
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jun 27 2018

Labels: Test-Predator-Auto-Owner
Owner: xiaoche...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/7aeceb41754fa0ff6d577a72463bbe5a6a978b8e (Fix regression that ComputeInlineBoxPosition no longer enters inline blocks).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Components: -Blink>MemoryAllocator>Partition Blink>Editing
Labels: -Pri-1 Pri-3
Owner: ----
Status: Available (was: Assigned)
Although bisection points at my patch r570791, which is correct, this is not really a regression.

Old patch r517766 caused a regression (crbug.com/856417) since M64, but remains uncaught till recently. Then r570791 reverted it on M69.

The same crash occurs on 64.0.3273.0, which is before r517766. r517766 broke the recursion path so the stack overflow stopped reproducing; and it becomes reproduciable again after the reversion r570791.

Since this is actually an old bug, marking it P3/Available.
Project Member

Comment 4 by ClusterFuzz, Jul 2

Labels: OS-Mac
Project Member

Comment 5 by ClusterFuzz, Aug 14

ClusterFuzz has detected this issue as fixed in range 582653:582655.

Detailed report: https://clusterfuzz.com/testcase?key=6029023118098432

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7fff6e58df38
Crash State:
  blink::PositionWithAffinityTemplate<blink::EditingAlgorithm<blink::NodeTraversal
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=570790:570791
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=582653:582655

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6029023118098432

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Aug 14

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase 6029023118098432 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Cc: kkaluri@chromium.org xiaoche...@chromium.org harukamt@google.com
 Issue 875583  has been merged into this issue.
Labels: ClusterFuzz-Wrong
Status: Available (was: Verified)
Project Member

Comment 9 by bugdroid1@chromium.org, Aug 22

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/350d547ef349b9f187ae4972280e15f3c2a762d8

commit 350d547ef349b9f187ae4972280e15f3c2a762d8
Author: Xiaocheng Hu <xiaochengh@chromium.org>
Date: Wed Aug 22 20:34:05 2018

Break infinite recursion in AdjustBlockFlowPositionToInline

Bug:  857266 
Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_layout_ng
Change-Id: I58c2cb9e7b2ddf90dc9609945e418b27047f1e34
Reviewed-on: https://chromium-review.googlesource.com/1184043
Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#585232}
[modify] https://crrev.com/350d547ef349b9f187ae4972280e15f3c2a762d8/third_party/blink/renderer/core/editing/inline_box_position.cc

Status: Fixed (was: Available)

Sign in to add a comment