Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

The multicol implementation requires things to be laid out before we can calculate the outline rectangle. That doesn't seem unreasonable at all to me. We have an inline continuation. When attempting to calculate the overflow rectangle of the first anonymous block with the inline, we jump into the subsequent anonymous blocks as well, which haven't been laid out yet.

LayoutView 0x1416c9604010              	#document
  LayoutBlockFlow 0x1416c9624010       	HTML
    LayoutBlockFlow 0x1416c9624138     	BODY
      LayoutBlockFlow 0x1416c9624260   	P
        LayoutText 0x1416c9630010      	#text "PASS if no crash or DCHECK failure."
*     LayoutBlockFlow (anonymous) 0x1416c9624388
        LayoutInline 0x1416c9640010 continuation=0x1416c96245d8	SPAN style="outline:auto;"
          LayoutText 0x1416c96300e0    	#text "\n  "
      LayoutBlockFlow (anonymous) 0x1416c96245d8 continuation=0x1416c96400d0
        LayoutBlockFlow 0x1416c96244b0 	DIV style="columns:1;"
          LayoutMultiColumnFlowThread (anonymous) 0x1416c964c010
            LayoutBR 0x1416c96301b0    	BR
          LayoutMultiColumnSet (anonymous) 0x1416c9650010
      LayoutBlockFlow (anonymous) 0x1416c9624700
        LayoutInline 0x1416c96400d0    	SPAN style="outline:auto;"
        LayoutText 0x1416c9630280      	#text "\n"

As part of doing layout on the anonymous LayoutBlockFlow marked above, when calculating overflow, we descend into children, and hit the LayoutInline. Then LayoutInline::AddOutlineRectsForContinuations() will take us into the next anonymous block, which obviously hasn't been laid out yet.

This seems so broken! Why are we adding outline rects for stuff that hasn't been laid out yet?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cdc908220ced67663a621cd5980ce6fd2b7aec5a

commit cdc908220ced67663a621cd5980ce6fd2b7aec5a
Author: Morten Stenshorne <mstensho@chromium.org>
Date: Thu Aug 02 14:30:20 2018

Don't calculate outline rects of objects that haven't been laid out yet.

When calculating the overflow rectangle while laying out an anonymous
block that's the containing block of the first part of an inline that
forms a continuation chain, we'll jump into the neighbor anonymous
block that's part of the continuation chain, to get its outline
rectangles. This is a meaningless thing to do if the blocks haven't been
laid out yet. In fact, I don't think the outlines in the neighbor
continuations should be included at all in former anonymous blocks'
overflow, but all this CL does is to bail if layout isn't up to date.
Multicol generally DCHECKs that we have laid out when someone tries to
read out stuff that depends on layout.

Also cleaned up LayoutInline::AddOutlineRectsForContinuations(), to avoid
duplicate code. I suspected that the coding style checker would complain about
the missing curly braces anyway.

Bug:  863453 
Change-Id: Ifeb14454c54396135927e33ec7a08e6091c20503
Reviewed-on: https://chromium-review.googlesource.com/1156403
Commit-Queue: Morten Stenshorne <mstensho@chromium.org>
Reviewed-by: Emil A Eklund <eae@chromium.org>
Cr-Commit-Position: refs/heads/master@{#580168}
[add] https://crrev.com/cdc908220ced67663a621cd5980ce6fd2b7aec5a/third_party/WebKit/LayoutTests/fast/multicol/continuation-outline-crash.html
[modify] https://crrev.com/cdc908220ced67663a621cd5980ce6fd2b7aec5a/third_party/blink/renderer/core/layout/layout_inline.cc

ClusterFuzz has detected this issue as fixed in range 580166:580168.

Detailed report: https://clusterfuzz.com/testcase?key=6738870272786432

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !column_sets_invalidated_ in layout_flow_thread.cc
  blink::LayoutFlowThread::FragmentsBoundingBox
  blink::LayoutBlockFlow::AddOverflowFromInlineChildren
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=543288:543291
Fixed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=580166:580168

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6738870272786432

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6738870272786432 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.