Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2552013002:
Do not remove floating legend from inner block as it gets destroyed somewhere else. (Closed)
|
Created:
4 years ago by Gleb Lanbin Modified:
4 years ago CC:
chromium-reviews, szager+layoutwatch_chromium.org, zoltan1, blink-reviews-layout_chromium.org, pdr+renderingwatchlist_chromium.org, eae+blinkwatch, leviw+renderwatch, jchaffraix+rendering, blink-reviews Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionDo not remove floating legend from inner block as it gets destroyed somewhere else.
Do not remove floating from inner block as it gets destroyed in
LayoutObject::destroyAndCleanupAnonymousWrappers.
This patch fixes a clusterfuzz heap-use-after-free bugs.
ClusterFuzz Detailed reports:
https://cluster-fuzz.appspot.com/testcase?key=6339449719095296
https://cluster-fuzz.appspot.com/v2/testcase-detail/5132508879650816
BUG=671017, 670837
Committed: https://crrev.com/71ac9500f1ad978a5459991592c2d3a193b219d7
Cr-Commit-Position: refs/heads/master@{#436504}
Patch Set 1 #
Total comments: 2
Patch Set 2 : fix comments #Messages
Total messages: 26 (19 generated)
Description was changed from ========== Do not remove floating legend from inner block as it gets destroyed somewhere else. Do not remove floating from inner block as it gets destroyed in LayoutObject::destroyAndCleanupAnonymousWrappers. This patch fixes a clusterfuzz heap-use-after-free bugs. ClusterFuzz Detailed reports: https://cluster-fuzz.appspot.com/testcase?key=6339449719095296 https://cluster-fuzz.appspot.com/v2/testcase-detail/5132508879650816 BUG=671017, 670837 ========== to ========== Do not remove floating legend from inner block as it gets destroyed somewhere else. Do not remove floating from inner block as it gets destroyed in LayoutObject::destroyAndCleanupAnonymousWrappers. This patch fixes a clusterfuzz heap-use-after-free bugs. ClusterFuzz Detailed reports: https://cluster-fuzz.appspot.com/testcase?key=6339449719095296 https://cluster-fuzz.appspot.com/v2/testcase-detail/5132508879650816 BUG=671017, 670837 ==========
glebl@chromium.org changed reviewers: + cbiesinger@chromium.org
The CQ bit was checked by glebl@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
lgtm but your description is not correct; you will still reach the else if (m_innerBlock) and thus try removing it from the inner block, right? https://codereview.chromium.org/2552013002/diff/1/third_party/WebKit/Source/c... File third_party/WebKit/Source/core/layout/LayoutFieldset.cpp (right): https://codereview.chromium.org/2552013002/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/layout/LayoutFieldset.cpp:294: // Out flow positioned elements are wrapped into an anonymous Out flow -> Out of flow
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
On 2016/12/05 21:41:26, cbiesinger wrote: > lgtm but your description is not correct; you will still reach the else if > (m_innerBlock) and thus try removing it from the inner block, right? > yes. I updated the code. it passed the clusterfuzz test cases. > https://codereview.chromium.org/2552013002/diff/1/third_party/WebKit/Source/c... > File third_party/WebKit/Source/core/layout/LayoutFieldset.cpp (right): > > https://codereview.chromium.org/2552013002/diff/1/third_party/WebKit/Source/c... > third_party/WebKit/Source/core/layout/LayoutFieldset.cpp:294: // Out flow > positioned elements are wrapped into an anonymous > Out flow -> Out of flow
https://codereview.chromium.org/2552013002/diff/1/third_party/WebKit/Source/c... File third_party/WebKit/Source/core/layout/LayoutFieldset.cpp (right): https://codereview.chromium.org/2552013002/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/layout/LayoutFieldset.cpp:294: // Out flow positioned elements are wrapped into an anonymous On 2016/12/05 21:41:26, cbiesinger wrote: > Out flow -> Out of flow Done.
The CQ bit was checked by glebl@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Lgtm
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: android_n5x_swarming_rel on master.tryserver.chromium.android (JOB_FAILED, https://build.chromium.org/p/tryserver.chromium.android/builders/android_n5x_...)
The CQ bit was checked by glebl@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
The CQ bit was checked by glebl@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from cbiesinger@chromium.org Link to the patchset: https://codereview.chromium.org/2552013002/#ps20001 (title: "fix comments")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
CQ is committing da patch.
Bot data: {"patchset_id": 20001, "attempt_start_ts": 1480993222704920,
"parent_rev": "34781b81870c093e0ab9d7076494b7b6d2f2019c", "commit_rev":
"27876870c32aa7144b9d6329863a0fc52380231d"}
Message was sent while issue was closed.
Description was changed from ========== Do not remove floating legend from inner block as it gets destroyed somewhere else. Do not remove floating from inner block as it gets destroyed in LayoutObject::destroyAndCleanupAnonymousWrappers. This patch fixes a clusterfuzz heap-use-after-free bugs. ClusterFuzz Detailed reports: https://cluster-fuzz.appspot.com/testcase?key=6339449719095296 https://cluster-fuzz.appspot.com/v2/testcase-detail/5132508879650816 BUG=671017, 670837 ========== to ========== Do not remove floating legend from inner block as it gets destroyed somewhere else. Do not remove floating from inner block as it gets destroyed in LayoutObject::destroyAndCleanupAnonymousWrappers. This patch fixes a clusterfuzz heap-use-after-free bugs. ClusterFuzz Detailed reports: https://cluster-fuzz.appspot.com/testcase?key=6339449719095296 https://cluster-fuzz.appspot.com/v2/testcase-detail/5132508879650816 BUG=671017, 670837 ==========
Message was sent while issue was closed.
Committed patchset #2 (id:20001)
Message was sent while issue was closed.
Description was changed from ========== Do not remove floating legend from inner block as it gets destroyed somewhere else. Do not remove floating from inner block as it gets destroyed in LayoutObject::destroyAndCleanupAnonymousWrappers. This patch fixes a clusterfuzz heap-use-after-free bugs. ClusterFuzz Detailed reports: https://cluster-fuzz.appspot.com/testcase?key=6339449719095296 https://cluster-fuzz.appspot.com/v2/testcase-detail/5132508879650816 BUG=671017, 670837 ========== to ========== Do not remove floating legend from inner block as it gets destroyed somewhere else. Do not remove floating from inner block as it gets destroyed in LayoutObject::destroyAndCleanupAnonymousWrappers. This patch fixes a clusterfuzz heap-use-after-free bugs. ClusterFuzz Detailed reports: https://cluster-fuzz.appspot.com/testcase?key=6339449719095296 https://cluster-fuzz.appspot.com/v2/testcase-detail/5132508879650816 BUG=671017, 670837 Committed: https://crrev.com/71ac9500f1ad978a5459991592c2d3a193b219d7 Cr-Commit-Position: refs/heads/master@{#436504} ==========
Message was sent while issue was closed.
Patchset 2 (id:??) landed as https://crrev.com/71ac9500f1ad978a5459991592c2d3a193b219d7 Cr-Commit-Position: refs/heads/master@{#436504} |
