New issue
Advanced search Search tips

Issue 595597 link

Starred by 0 users

Issue metadata

Status: Verified
Owner: ----
Closed: Jun 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

ASSERTION FAILED: Cannot advance document lifecycle from PaintInvalidationClean

Project Member Reported by ClusterFuzz, Mar 17 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5161398434267136

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: Cannot advance document lifecycle from PaintInvalidationClean 
  blink::DocumentLifecycle::advanceTo
  blink::FrameView::invalidateTreeIfNeeded
  

Minimized Testcase (0.34 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96cCQxqF0KSWSpSQzXR9Rlr-87bH66KTb0uJgXkRFkg3ruVGUtoCvFBSnKml8wOkQVO1AUeNHjAOEer2sNHYdNTteN52k_Vna4_LdF3n51sc__7Cb1aUkJbSclBLUnvjGvnNU2v7eLF5gWf7-g0G1SNyr0ZGg

Filer: ajha

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by ajha@chromium.org, Mar 17 2016

Components: Blink>DOM
Labels: -Pri-1 findit-for-crash Te-Logged Pri-2
Owner: jchaffraix@chromium.org
Status: Assigned (was: Available)
Suspected CLs	Regression information is not available. The result is the blame information.

Author: schenney
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/cc38cba47e5e52d233aba85deb38338d04ea9a33
Time: Tue Oct 06 17:56:08 2015
The CL last changed line 269 of file DocumentLifecycle.cpp, which is stack frame 0.

Author: wangxianzhu@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/67d6d0c6411ca326a8817a9774a1ad48c7be4b63
Time: Wed Jul 01 21:30:30 2015
The CL last changed line 1085 of file FrameView.cpp, which is stack frame 1.

Author: jchaffraix
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/29b274ba041d2d98e4b34a0ff5f054b6c7bbdf54
Time: Tue Jan 05 18:22:59 2016
The CL last changed line 359 of file LayoutPart.cpp, which is stack frame 2.

Author: jchaffraix@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/5708971d29963f0e9572c231b818b72c0e29869e
Time: Tue Feb 24 03:41:49 2015
The CL last changed line 395 of file LayoutBoxModelObject.cpp, which is stack frame 3.

Author: wangxianzhu@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/12b175fbf225cf0aa9b78f4eb1f9eac4a6fc5f3f
Time: Fri Oct 17 18:15:41 2014
The CL last changed line 1355 of file LayoutObject.cpp, which is stack frame 4.

Author: wangxianzhu
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/81c75ffdae57d4fe65db92f582721887d381feb3
Time: Wed Dec 09 03:09:53 2015
The CL last changed line 1523 of file LayoutBox.cpp, which is stack frame 5.

Author: dsinclair@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/f5ea6de097cb98ed2d92b2b5a70ffbde56991dee
Time: Tue Feb 24 17:59:27 2015
The CL last changed line 346 of file LayoutBlock.cpp, which is stack frame 6.

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-Layout
===================================================================================

jchaffraix@: Could you please take a look at this for https://codereview.chromium.org/406743002 and for the recent change as per Stack #2. Feel free to re-assign if this is not related.

Thanks in advance!

Comment 2 by tkent@chromium.org, Apr 27 2016

Components: -Blink>DOM Blink>Layout
Owner: ----
Status: Untriaged (was: Assigned)

Comment 3 by e...@chromium.org, May 2 2016

Components: Blink>Paint>Invalidation
Requesting regression range from clusterfuzz, will update bug once complete.

Comment 4 by e...@chromium.org, May 2 2016

No regression information available. Sigh.

Comment 6 by bokan@chromium.org, May 11 2016

Cc: e...@chromium.org
Owner: ----
Status: Untriaged (was: Assigned)
I think the regression range is wrong. I synced back to my patch (which is the first in the range) and the ASSERT fires; however, I synced back before my patch and it still fires too. In any case, my patch only deals with scrolling so it's unlikely to be causing a crash in invalidation.

Comment 7 by e...@chromium.org, May 11 2016

Status: Available (was: Untriaged)
Project Member

Comment 8 by ClusterFuzz, Jun 14 2016

ClusterFuzz has detected this issue as fixed in range 392347:392418.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5161398434267136

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  Cannot advance document lifecycle from PaintInvalidationClean to InPaintInvalida
  blink::DocumentLifecycle::advanceTo
  blink::FrameView::invalidateTreeIfNeeded
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=392347:392418

Minimized Testcase (0.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95fCDifPvaSibjpMnSLrFMg6tr7NQ1Uth8XDcgMRdcqhO2EdQfpr0Gbyx50VaKTAiKNJn2VdCZdgqRiMR-5uyjO2xmcs2BV0pND1eAGg2eeeuKUud0BK-vAiBX33Fi2o1ftpzKX0guKjuO_IHg3J87u5uDbrg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Jun 14 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment