Issue metadata
Sign in to add a comment
|
Bad-cast to const blink::LayoutBlock from blink::LayoutEmbeddedObject in blink::BoxModelObjectPainter::PaintTextClipMask |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5187314031263744 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x105920620000 Crash State: Bad-cast to const blink::LayoutBlock from blink::LayoutEmbeddedObject blink::BoxModelObjectPainter::PaintTextClipMask blink::BoxPainterBase::PaintFillLayerTextFillBox Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=589311:589315 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5187314031263744 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 7
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/9177956013985e9f783b66aca45ddba78efee413 ([PE] Support float, block, table descendants for background-clip:text). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Sep 7
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6819be079703da122ed7469cd8221fe9dc96391d commit 6819be079703da122ed7469cd8221fe9dc96391d Author: Xianzhu Wang <wangxianzhu@chromium.org> Date: Fri Sep 07 05:51:32 2018 Revert "[PE] Support float, block, table descendants for background-clip:text" This reverts commit 9177956013985e9f783b66aca45ddba78efee413. Reason for revert: The layout object to paint text clip might not be LayoutBlock. Bug: 881644 Original change's description: > [PE] Support float, block, table descendants for background-clip:text > > In https://chromium-review.googlesource.com/c/chromium/src/+/1197462 > we changed box_model_.Paint() to LineBoxListPainter so we no longer > supported text clip for descendants other than inline contents. > > This CL calls ToLayoutBlock(box_model_).PaintObject() to support text > clip of other descendants, and still avoid the original double paint > offset issue of box_model_.Paint(). > > Bug: 880825 > Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel > Change-Id: I2c4b0e23df11bf300c01f9c804fb7e7d129f3aa0 > Reviewed-on: https://chromium-review.googlesource.com/1211244 > Reviewed-by: Philip Rogers <pdr@chromium.org> > Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> > Cr-Commit-Position: refs/heads/master@{#589314} TBR=wangxianzhu@chromium.org,pdr@chromium.org Change-Id: Id26f9f690884300fceb4bdaf3e4f3fb2aad4fc04 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 880825 Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel Reviewed-on: https://chromium-review.googlesource.com/1212483 Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org> Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> Cr-Commit-Position: refs/heads/master@{#589443} [delete] https://crrev.com/e7492cbb3c87c15a7a17b9d228a726a8e615131a/third_party/WebKit/LayoutTests/paint/background/background-clip-text-descendants-expected.html [delete] https://crrev.com/e7492cbb3c87c15a7a17b9d228a726a8e615131a/third_party/WebKit/LayoutTests/paint/background/background-clip-text-descendants.html [modify] https://crrev.com/6819be079703da122ed7469cd8221fe9dc96391d/third_party/blink/renderer/core/paint/box_model_object_painter.cc
,
Sep 7
ClusterFuzz has detected this issue as fixed in range 589442:589443. Detailed report: https://clusterfuzz.com/testcase?key=5187314031263744 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x105920620000 Crash State: Bad-cast to const blink::LayoutBlock from blink::LayoutEmbeddedObject blink::BoxModelObjectPainter::PaintTextClipMask blink::BoxPainterBase::PaintFillLayerTextFillBox Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=589311:589315 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=589442:589443 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5187314031263744 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 7
ClusterFuzz testcase 5187314031263744 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 7
,
Sep 7
,
Sep 7
,
Dec 14
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Sep 7Labels: Test-Predator-Auto-Components