New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 593252 link

Starred by 0 users
Status: Verified
Owner:
ericwilligers@chromium.org
Closed: Jun 2016
Cc:
dstockwell@chromium.org
nyerramilli@chromium.org
r...@opera.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

ASSERTION FAILED: !isInherit || (state.parentNode() && state.parentStyle())

Project Member Reported by ClusterFuzz, Mar 9 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6024401708908544

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: !isInherit || (state.parentNode() && state.parentStyle())
  blink::StyleBuilder::applyProperty
  blink::StyleResolver::createAnimatableValueSnapshot
  

Minimized Testcase (0.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94Ru-6Hz-JGqN3y71zMEASTTjHtnE7dOiodppxOSSV_4TWNtFEZdSSGtIKHs1jAtTxjvKt-UrVSH7UC3ylZwWiuCmCm8Cz7OiJJXvfVXHwO8lCxaEBT56WrK7cDsS-Q6-__cb57LgQaQSs41FRD7HbjYiZBLQ

Filer: nyerramilli

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by nyerramilli@chromium.org, Mar 9 2016

Cc: nyerramilli@chromium.org
Components: Blink>CSS
Labels: M-49 findit-wrong Te-Logged
Owner: r...@opera.com
Status: Assigned (was: Available)
Providing Findit info for analyzing purpose:
Regression information is not available. The result is the blame information.

Author: timloh@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/33694cb8ff84f0dd002ca6ca36d29c69078d1279
Time: Sat May 17 02:17:42 2014
The CL last changed line 125 of file StyleBuilderCustom.cpp, which is stack frame 0.

Author: alancutter@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/d83061c16de03312c07e32c6804c1c1f98b2caaa
Time: Tue Mar 03 00:02:34 2015
The CL last changed line 731 of file StyleResolver.cpp, which is stack frame 1.

Author: alancutter@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/39260eee1225f2a397fef72f0fc85bd129bac061
Time: Fri Jun 27 17:05:53 2014
The CL last changed line 725 of file StyleResolver.cpp, which is stack frame 2.

Author: alancutter@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/d510011b8540b1163ed8c62fa24e26d8d4928d31
Time: Thu Sep 17 02:05:17 2015
The CL last changed line 109 of file StringKeyframe.cpp, which is stack frame 3.

Author: alancutter@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/d510011b8540b1163ed8c62fa24e26d8d4928d31
Time: Thu Sep 17 02:05:17 2015
The CL last changed line 114 of file KeyframeEffectModel.cpp, which is stack frame 4.

Author: alancutter@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/d510011b8540b1163ed8c62fa24e26d8d4928d31
Time: Thu Sep 17 02:05:17 2015
The CL last changed line 83 of file KeyframeEffectModel.cpp, which is stack frame 5.

Author: suzyh
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/c0846df098b6a1ba6487d7c351d1f3bb0d6f7690
Time: Mon Feb 29 04:36:04 2016
The CL last changed line 126 of file EffectInput.cpp, which is stack frame 6.

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-CSS

using codesearch, seeing some changes to StyleResolver.cpp in 
https://chromium.googlesource.com/chromium/src/+/440a6873196cecc4f18b7b7665694ab34dd2d2a7

rune@, Could you please check the above issue & help us in finding an owner it its not yours.

Comment 2 by r...@opera.com, Mar 9 2016

Cc: dstockwell@chromium.org r...@opera.com
Components: Blink>Animation
Owner: alancutter@chromium.org
Attached simpler testcase.

We pass nullptr parentStyle into StyleResolverState in createAnimatableValueSnapshot which is used by applyProperty which expects the parentStyle to be non-null when applying 'inherit'.
crash.html
139 bytes View Download

Comment 3 by lafo...@chromium.org, Mar 18 2016

Components: Blink
Labels: -cr-blink
Remove legacy label cr-blink
Project Member

Comment 4 by ClusterFuzz, Mar 21 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6496504973361152

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000058
Crash State:
  blink::StyleBuilder::applyProperty
  blink::StyleResolver::createAnimatableValueSnapshot
  blink::StringKeyframe::CSSPropertySpecificKeyframe::populateAnimatableValue
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=144946:145047

Minimized Testcase (0.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94hcATXwXxZImXdyZfEfToLABVN8IMxAl1GmyDGiNW8iHlXxcTsS6wEK276Ci_9JthapJXmfS1GAjTkLDa6uwezqEnf5qD3p-7UoRU_pclALu1QHpn5PGSS_7Q2aUYJ2F0uMbbjzE1omGZ1vyOnNdcrtPCqJQ

Filer: ashejole

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 5 by cbiesin...@chromium.org, Mar 23 2016

Components: -Blink

Comment 6 by alancutter@chromium.org, May 11 2016 

Issue 610852 has been merged into this issue.

Comment 7 by loyso@chromium.org, May 26 2016

Components: -Blink>CSS
Labels: Update-weekly

Comment 8 by alancutter@chromium.org, May 27 2016

Owner: ericwilligers@chromium.org
I wonder if deferring the capturing of the compositor keyframe (the call to populateAnimatableValue) until style resolving will fix this issue.
See suggestion: https://bugs.chromium.org/p/chromium/issues/detail?id=505393#c6
Project Member

Comment 9 by ClusterFuzz, Jun 14 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by ClusterFuzz, Jun 27 2016 

ClusterFuzz has detected this issue as fixed in range 402091:402095.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6496504973361152

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000058
Crash State:
  blink::StyleBuilder::applyProperty
  blink::StyleResolver::createAnimatableValueSnapshot
  blink::StringKeyframe::CSSPropertySpecificKeyframe::populateAnimatableValue
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=144946:145047
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=402091:402095

Minimized Testcase (0.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95DN2CkN_KqeUuUU-8cK5UN8URQx4w-qYrLwD_ffqK3RjVet8ccwxcNHlCVr8gFLbZP0O4ZtR3hrXI_EGDX_1T8Bdm1EQJl4KHzM92g4XP9dQZyE8zLf9-d7bX-m4oyozDygp5eeiOr3QqSr9WmO36qKwl3cA?testcase_id=6496504973361152

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 11 by r...@opera.com, Jun 28 2016 

I guess I fixed this with crrev.com/91a68cd
Project Member

Comment 12 by bugdroid1@chromium.org, Jul 6 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f

commit 3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f
Author: alancutter <alancutter@chromium.org>
Date: Wed Jul 06 07:12:39 2016

Defer compositor keyframe snapshots until the next style resolve

Previously compositor keyframes were being captured as soon as an animation
was created. In the case of element.animate() there is not enough context
to know the correct parentStyle to use resulting in crashes
when computing "inherit" in corner case scenarios.

By deferring the compositor keyframe snapshotting until we are in a
style resolve we can pass through the correct parentStyle and avoid
the crashes.

Additionally by deferring we are able to avoid forcing a style recalc
during element.animate() of a composited property.

BUG= 593252 ,  539793 ,  534122 ,  587257 

Review-Url: https://codereview.chromium.org/2043273002
Cr-Commit-Position: refs/heads/master@{#403861}

[add] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/LayoutTests/animations/option-opacity-inherit-crash.html
[add] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/LayoutTests/animations/universal-selector-opacity-inherit-crash-expected.html
[add] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/LayoutTests/animations/universal-selector-opacity-inherit-crash.html
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/animation/AnimationEffect.h
[delete] https://crrev.com/cf0c390214da2eeaa9407597793fb8f2ff2fda56/third_party/WebKit/Source/core/animation/DeferredLegacyStyleInterpolation.cpp
[delete] https://crrev.com/cf0c390214da2eeaa9407597793fb8f2ff2fda56/third_party/WebKit/Source/core/animation/DeferredLegacyStyleInterpolation.h
[delete] https://crrev.com/cf0c390214da2eeaa9407597793fb8f2ff2fda56/third_party/WebKit/Source/core/animation/DeferredLegacyStyleInterpolationTest.cpp
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/animation/EffectInput.cpp
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/animation/ElementAnimations.h
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/animation/InertEffect.h
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/animation/InterpolableValue.h
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/animation/Keyframe.h
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/animation/KeyframeEffectModel.cpp
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/animation/KeyframeEffectModel.h
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/animation/StringKeyframe.cpp
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/animation/StringKeyframe.h
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/animation/css/CSSAnimations.cpp
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/animation/css/CSSAnimations.h
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/core.gypi
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/css/resolver/StyleResolver.h
[modify] https://crrev.com/3ebd5c3b08a5f861d8268402f3d9d76f5d7e306f/third_party/WebKit/Source/core/inspector/InspectorAnimationAgent.cpp
Project Member

Comment 13 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment