CHECK failure: layout_object_mapped_result.EqualWithinEpsilon(result.BoundingBox(), 1.1f) || la |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4896103620935680 Fuzzer: inferno_twister Job Type: linux_debug_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: layout_object_mapped_result.EqualWithinEpsilon(result.BoundingBox(), 1.1f) || la blink::LayoutGeometryMap::MapToAncestor blink::LayoutGeometryMap::AbsoluteRect Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=538990:538995 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4896103620935680 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 19
Assigning to chrishtr@ based on this CL: https://chromium-review.googlesource.com/910116
,
Nov 19
When working on https://crbug.com/905914 I found that I could hit this reliably. Here's a minimized testcase: <!doctype html> <style> @keyframes bounceInLeft { 0% { transform: none; } } </style> <div id="container" class="bounceInLeft" style="animation-name: bounceInLeft; animation-fill-mode: forwards;"> <div id="node" style="opacity: 0.9; width: 100px; height: 100px; background: lightblue;"> <div id="descendant" style="position: absolute; width: 10px; height: 10px; background: lightgreen;"></div> </div> </div>
,
Nov 19
If the clusterfuzz regression range is correct, this is a regression from turning on CSSTypedOM.
,
Nov 19
I'm not sure my testcase in comment #3 is relevant to this bug after all. It's another bug that is a way to trigger this crash and nothing more.
,
Nov 22
I think this was fixed by https://chromium-review.googlesource.com/c/chromium/src/+/1344813. Assigning to xidachen to verify and add this testcase to any re-land.
,
Nov 22
Cannot repro this locally with ToT code, closing this.
,
Nov 28
This does not seem like a dupe of 905914 after all. Investigating the real cause now.
,
Nov 28
I can repro this locally and I think it is a real bug, unlike some other DCHECKS at this location, because the values are not extreme: "1072,144 0x0" vs "1166,144 0x0" This was probably a regression from turning on CSSOM but that's not likely to be the root cause. I've clicked minimize on the testcase to try to get a more minimized testcase to see if we can do something about this.
,
Dec 13
the problem with minimization is this testcase is flaky as per CF. [2018-11-17 03:30:38 UTC] clusterfuzz-linux-high-end-jq06: Minimize task started. [2018-11-17 03:46:17 UTC] clusterfuzz-linux-high-end-jq06: Minimize task errored out: Unable to reproduce crash reliably, skipping minimization (crashed 3/10) i can reupload testcase with higher timeout (Re-upload testcase with like 30 sec timeout).
,
Dec 13
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4812456813395968.
,
Dec 14
ClusterFuzz testcase 4812456813395968 appears to be flaky, updating reproducibility label. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Nov 17Labels: Test-Predator-Auto-Components