svg/filters/filtered-animated-image-crash.html crashed on Linux ASAN |
|||||
Issue descriptionFirst failed build: https://build.chromium.org/p/chromium.webkit/builders/WebKit%20Linux%20ASAN/builds/24404. There is this stack trace (full log attached): 16:23:05.752 22342 worker/7 svg/filters/filtered-animated-image-crash.html crashed, (stderr lines): 16:23:05.752 22342 [4:4:0601/162303:5098766085:FATAL:DisplayItemClient.cpp(36)] Check failed: !item.value.contains(this). Short-lived DisplayItemClient: "LayoutSVGImage image". See crbug.com/570030 . 16:23:05.752 22342 #0 0x0000004868e1 __interceptor_backtrace 16:23:05.752 22342 #1 0x00000c6525f3 base::debug::StackTrace::StackTrace() 16:23:05.752 22342 #2 0x00000c68bd3c logging::LogMessage::~LogMessage() 16:23:05.752 22342 #3 0x000003f50c2b blink::DisplayItemClient::~DisplayItemClient() 16:23:05.752 22342 #4 0x0000086cf62e blink::LayoutSVGImage::~LayoutSVGImage() 16:23:05.752 22342 #5 0x000006c8bbbb blink::Node::detach() 16:23:05.752 22342 #6 0x000006ae89c3 blink::ContainerNode::detach() 16:23:05.752 22342 #7 0x000006be5789 blink::Element::detach() 16:23:05.752 22342 #8 0x0000087a1e1e blink::SVGElement::detach() 16:23:05.752 22342 #9 0x000006ae8976 blink::ContainerNode::detach() 16:23:05.752 22342 #10 0x000006be5789 blink::Element::detach() 16:23:05.752 22342 #11 0x0000087a1e1e blink::SVGElement::detach() 16:23:05.752 22342 #12 0x000006ae8976 blink::ContainerNode::detach() 16:23:05.752 22342 #13 0x000006be5789 blink::Element::detach() 16:23:05.752 22342 #14 0x000006ae8976 blink::ContainerNode::detach() 16:23:05.752 22342 #15 0x000006be5789 blink::Element::detach() 16:23:05.752 22342 #16 0x000006ae8976 blink::ContainerNode::detach() 16:23:05.752 22342 #17 0x000006b59f18 blink::Document::detach() 16:23:05.752 22342 #18 0x000007e99b4e blink::FrameLoader::prepareForCommit() 16:23:05.752 22342 #19 0x000007e9a176 blink::FrameLoader::commitProvisionalLoad() 16:23:05.752 22342 #20 0x000007e52d22 blink::DocumentLoader::finishedLoading() 16:23:05.752 22342 #21 0x000007e5696f blink::DocumentLoader::maybeLoadEmpty() 16:23:05.752 22342 #22 0x000007e56c4a blink::DocumentLoader::startLoadingMainResource() 16:23:05.752 22342 #23 0x000007e97bc7 blink::FrameLoader::startLoad() 16:23:05.752 22342 #24 0x000007e8cca1 blink::FrameLoader::load() 16:23:05.752 22342 #25 0x000005d259d9 blink::WebLocalFrameImpl::load() 16:23:05.752 22342 #26 0x000005d2614b blink::WebLocalFrameImpl::loadRequest() 16:23:05.752 22342 #27 0x00000c5ef242 content::BlinkTestRunner::OnReset() 16:23:05.752 22342 #28 0x00000c5eec73 _ZN3IPC8MessageTI23ShellViewMsg_Reset_MetaNSt3__15tupleIJEEEvE8DispatchIN7content15BlinkTestRunnerES8_vMS8_FvvEEEbPKNS_7MessageEPT_PT0_PT1_T2_ 16:23:05.752 22342 #29 0x00000c5ee0de content::BlinkTestRunner::OnMessageReceived() 16:23:05.752 22342 #30 0x000009caf432 content::RenderViewImpl::OnMessageReceived() 16:23:05.752 22342 #31 0x000000e76649 IPC::MessageRouter::RouteMessage() 16:23:05.752 22342 #32 0x000000e7646d IPC::MessageRouter::OnMessageReceived() 16:23:05.752 22342 #33 0x000003ad21ff content::ChildThreadImpl::OnMessageReceived() 16:23:05.752 22342 #34 0x000000e50028 IPC::ChannelProxy::Context::OnDispatchMessage() 16:23:05.752 22342 #35 0x00000c655455 base::debug::TaskAnnotator::RunTask() 16:23:05.753 22342 #36 0x000003bf742c scheduler::TaskQueueManager::ProcessTaskFromWorkQueue() 16:23:05.753 22342 #37 0x000003bf41ce scheduler::TaskQueueManager::DoWork() 16:23:05.753 22342 #38 0x000003bf9001 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0ELm1ELm2EEEENS0_9BindStateINS0_15RunnableAdapterIMN9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEEEFvPS7_S8_bEJNS_7WeakPtrIS7_EES8_bEEELb1EFvvEE3RunEPNS0_13BindStateBaseE 16:23:05.753 22342 #39 0x00000c655455 base::debug::TaskAnnotator::RunTask() 16:23:05.753 22342 #40 0x00000c69b97d base::MessageLoop::RunTask() 16:23:05.753 22342 #41 0x00000c69c286 base::MessageLoop::DeferOrRunPendingTask() 16:23:05.753 22342 #42 0x00000c69d1ed base::MessageLoop::DoWork() 16:23:05.753 22342 #43 0x00000c6a3c51 base::MessagePumpDefault::Run() 16:23:05.753 22342 #44 0x00000c6f0399 base::RunLoop::Run() 16:23:05.753 22342 #45 0x00000c69a47f base::MessageLoop::Run() 16:23:05.753 22342 #46 0x000009d1cc46 content::RendererMain() 16:23:05.753 22342 #47 0x00000a892dd6 content::RunZygote() 16:23:05.753 22342 #48 0x00000a895c0e content::ContentMainRunnerImpl::Run() 16:23:05.753 22342 #49 0x00000a89205b content::ContentMain() 16:23:05.753 22342 #50 0x000000507e86 main 16:23:05.753 22342 #51 0x7f806d98076d __libc_start_main 16:23:05.753 22342 #52 0x000000447cb5 <unknown> 16:23:05.753 22342 16:23:05.753 22342 Failed to tell parent about crash. 16:23:05.753 22342 Received signal 6 16:23:05.753 22342 #0 0x0000004868e1 __interceptor_backtrace 16:23:05.753 22342 #1 0x00000c65166a base::debug::(anonymous namespace)::StackDumpSignalHandler() 16:23:05.753 22342 #2 0x7f806e17bcb0 <unknown> 16:23:05.753 22342 #3 0x7f806d9950d5 gsignal 16:23:05.753 22342 #4 0x7f806d99883b abort 16:23:05.753 22342 #5 0x00000c6501ca base::debug::BreakDebugger() 16:23:05.753 22342 #6 0x00000c68c2ad logging::LogMessage::~LogMessage() 16:23:05.753 22342 #7 0x000003f50c2b blink::DisplayItemClient::~DisplayItemClient() 16:23:05.753 22342 #8 0x0000086cf62e blink::LayoutSVGImage::~LayoutSVGImage() 16:23:05.753 22342 #9 0x000006c8bbbb blink::Node::detach() 16:23:05.753 22342 #10 0x000006ae89c3 blink::ContainerNode::detach() 16:23:05.753 22342 #11 0x000006be5789 blink::Element::detach() 16:23:05.753 22342 #12 0x0000087a1e1e blink::SVGElement::detach() 16:23:05.753 22342 #13 0x000006ae8976 blink::ContainerNode::detach() 16:23:05.753 22342 #14 0x000006be5789 blink::Element::detach() 16:23:05.753 22342 #15 0x0000087a1e1e blink::SVGElement::detach() 16:23:05.753 22342 #16 0x000006ae8976 blink::ContainerNode::detach() 16:23:05.753 22342 #17 0x000006be5789 blink::Element::detach() 16:23:05.753 22342 #18 0x000006ae8976 blink::ContainerNode::detach() 16:23:05.753 22342 #19 0x000006be5789 blink::Element::detach() 16:23:05.753 22342 #20 0x000006ae8976 blink::ContainerNode::detach() 16:23:05.753 22342 #21 0x000006b59f18 blink::Document::detach() 16:23:05.753 22342 #22 0x000007e99b4e blink::FrameLoader::prepareForCommit() 16:23:05.753 22342 #23 0x000007e9a176 blink::FrameLoader::commitProvisionalLoad() 16:23:05.753 22342 #24 0x000007e52d22 blink::DocumentLoader::finishedLoading() 16:23:05.753 22342 #25 0x000007e5696f blink::DocumentLoader::maybeLoadEmpty() 16:23:05.753 22342 #26 0x000007e56c4a blink::DocumentLoader::startLoadingMainResource() 16:23:05.753 22342 #27 0x000007e97bc7 blink::FrameLoader::startLoad() 16:23:05.754 22342 #28 0x000007e8cca1 blink::FrameLoader::load() 16:23:05.754 22342 #29 0x000005d259d9 blink::WebLocalFrameImpl::load() 16:23:05.754 22342 #30 0x000005d2614b blink::WebLocalFrameImpl::loadRequest() 16:23:05.754 22342 #31 0x00000c5ef242 content::BlinkTestRunner::OnReset() 16:23:05.754 22342 #32 0x00000c5eec73 _ZN3IPC8MessageTI23ShellViewMsg_Reset_MetaNSt3__15tupleIJEEEvE8DispatchIN7content15BlinkTestRunnerES8_vMS8_FvvEEEbPKNS_7MessageEPT_PT0_PT1_T2_ 16:23:05.754 22342 #33 0x00000c5ee0de content::BlinkTestRunner::OnMessageReceived() 16:23:05.754 22342 #34 0x000009caf432 content::RenderViewImpl::OnMessageReceived() 16:23:05.754 22342 #35 0x000000e76649 IPC::MessageRouter::RouteMessage() 16:23:05.767 22342 #36 0x000000e7646d IPC::MessageRouter::OnMessageReceived() 16:23:05.767 22342 #37 0x000003ad21ff content::ChildThreadImpl::OnMessageReceived() 16:23:05.767 22342 #38 0x000000e50028 IPC::ChannelProxy::Context::OnDispatchMessage() 16:23:05.767 22342 #39 0x00000c655455 base::debug::TaskAnnotator::RunTask() 16:23:05.767 22342 #40 0x000003bf742c scheduler::TaskQueueManager::ProcessTaskFromWorkQueue() 16:23:05.767 22342 #41 0x000003bf41ce scheduler::TaskQueueManager::DoWork() 16:23:05.767 22342 #42 0x000003bf9001 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0ELm1ELm2EEEENS0_9BindStateINS0_15RunnableAdapterIMN9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEEEFvPS7_S8_bEJNS_7WeakPtrIS7_EES8_bEEELb1EFvvEE3RunEPNS0_13BindStateBaseE 16:23:05.767 22342 #43 0x00000c655455 base::debug::TaskAnnotator::RunTask() 16:23:05.767 22342 #44 0x00000c69b97d base::MessageLoop::RunTask() 16:23:05.767 22342 #45 0x00000c69c286 base::MessageLoop::DeferOrRunPendingTask() 16:23:05.767 22342 #46 0x00000c69d1ed base::MessageLoop::DoWork() 16:23:05.767 22342 #47 0x00000c6a3c51 base::MessagePumpDefault::Run() 16:23:05.767 22342 #48 0x00000c6f0399 base::RunLoop::Run() 16:23:05.767 22342 #49 0x00000c69a47f base::MessageLoop::Run() 16:23:05.767 22342 #50 0x000009d1cc46 content::RendererMain() 16:23:05.767 22342 #51 0x00000a892dd6 content::RunZygote() 16:23:05.767 22342 #52 0x00000a895c0e content::ContentMainRunnerImpl::Run() 16:23:05.767 22342 #53 0x00000a89205b content::ContentMain() 16:23:05.767 22342 #54 0x000000507e86 main 16:23:05.767 22342 #55 0x7f806d98076d __libc_start_main 16:23:05.767 22342 #56 0x000000447cb5 <unknown> 16:23:05.767 22342 r8: 0000000000000000 r9: 0000000000500000 r10: 0000000000000008 r11: 0000000000000202 16:23:05.767 22342 r12: 00007f80681fc2e0 r13: 0000000000000000 r14: 00007f80681fc000 r15: 00007f8068148840 16:23:05.767 22342 di: 0000000000000004 si: 0000000000000004 bp: 00007fff4ade3a30 bx: 00007fff4ade3a40 16:23:05.767 22342 dx: 0000000000000006 ax: 0000000000000000 cx: ffffffffffffffff sp: 00007fff4ade38f8 16:23:05.767 22342 ip: 00007f806d9950d5 efl: 0000000000000202 cgf: 0000000000000033 erf: 0000000000000000 16:23:05.767 22342 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000 16:23:05.767 22342 [end of stack trace] 16:23:05.781 22243 [39182/41314] svg/filters/filtered-animated-image-crash.html failed unexpectedly (renderer crashed) 16:23:05.773 22342 worker/7 killing primary driver 16:23:05.775 22342 worker/7 killing secondary driver 16:23:05.776 22342 worker/7 svg/filters/filtered-animated-image-crash.html failed: 16:23:05.776 22342 worker/7 renderer crashed Assigning to wangxianzhu@chromium.org due to the mention of DisplayItemClient in the stack trace and the https://chromium.googlesource.com/chromium/src/+/53559da8fd5faa99d30a00eadbc6da3aebbde2b1 in the blamelist.
,
Jun 3 2016
This is a side-effect of my DisplayItemClient aliveness-tracking patch that it finds PaintControllers that are not committed before destructed.
This happens in SVGImagePainter when painting an animated image with filter. The filter effect is begun but not ended because the LayoutSVGImage is invalidated during painting:
#0 blink::LayoutSVGResourceFilter::removeClientFromCache (this=0x2c7b55c24010, client=0x2c7b55c44010,
markForInvalidation=true) at ../../third_party/WebKit/Source/core/layout/svg/LayoutSVGResourceFilter.cpp:80
#1 0x00000000058a8b96 in blink::removeFromCacheAndInvalidateDependencies (object=0x2c7b55c44010, needsLayout=false)
at ../../third_party/WebKit/Source/core/layout/svg/LayoutSVGResourceContainer.cpp:270
#2 0x00000000058a86cb in blink::LayoutSVGResourceContainer::markForLayoutAndParentResourceInvalidation (
object=0x2c7b55c44010, needsLayout=false)
at ../../third_party/WebKit/Source/core/layout/svg/LayoutSVGResourceContainer.cpp:313
#3 0x000000000589f50b in blink::LayoutSVGImage::imageChanged (this=0x2c7b55c44010)
at ../../third_party/WebKit/Source/core/layout/svg/LayoutSVGImage.cpp:147
#4 0x000000000578e8eb in blink::LayoutObject::imageChanged (this=0x2c7b55c44010, image=0x33394e22f398, rect=0x0)
at ../../third_party/WebKit/Source/core/layout/LayoutObject.cpp:3224
#5 0x00000000052b4e39 in blink::ImageResource::notifyObservers (this=0x33394e22f398, changeRect=0x0)
at ../../third_party/WebKit/Source/core/fetch/ImageResource.cpp:309
#6 0x00000000052b5618 in blink::ImageResource::animationAdvanced (this=0x33394e22f398, image=0x2ed20d980550)
at ../../third_party/WebKit/Source/core/fetch/ImageResource.cpp:472
#7 0x00000000036672e0 in blink::BitmapImage::internalAdvanceAnimation (this=0x2ed20d980550, skippingFrames=false)
at ../../third_party/WebKit/Source/platform/graphics/BitmapImage.cpp:604
#8 0x0000000003666aa6 in blink::BitmapImage::startAnimation (this=0x2ed20d980550,
catchUpIfNecessary=blink::Image::CatchUp) at ../../third_party/WebKit/Source/platform/graphics/BitmapImage.cpp:506
#9 0x00000000036664b7 in blink::BitmapImage::draw (this=0x2ed20d980550, canvas=0x302eaa96a620, paint=...,
dstRect=..., srcRect=..., shouldRespectImageOrientation=blink::DoNotRespectImageOrientation,
clampMode=blink::Image::ClampImageToSourceRect)
at ../../third_party/WebKit/Source/platform/graphics/BitmapImage.cpp:282
#10 0x000000000368a30c in blink::GraphicsContext::drawImage (this=0x2ed20d8bc1b0, image=0x2ed20d980550, dest=...,
srcPtr=0x7fffd7a44a58, op=SkXfermode::kSrcOver_Mode,
shouldRespectImageOrientation=blink::DoNotRespectImageOrientation)
at ../../third_party/WebKit/Source/platform/graphics/GraphicsContext.cpp:764
#11 0x00000000055d7ae6 in blink::SVGImagePainter::paintForeground (this=0x7fffd7a44ca0, paintInfo=...)
at ../../third_party/WebKit/Source/core/paint/SVGImagePainter.cpp:70
#12 0x00000000055d771b in blink::SVGImagePainter::paint (this=0x7fffd7a44ca0, paintInfo=...)
at ../../third_party/WebKit/Source/core/paint/SVGImagePainter.cpp:40
#13 0x000000000589f2a1 in blink::LayoutSVGImage::paint (this=0x2c7b55c44010, paintInfo=...)
Then SVGFilterPainter::finishEffect() can't find the filter of the LayoutSVGImage so skips SVGFilterRecordingContext::endContent(), causing the PaintController not committed.
pdr@ is this a valid situation? If yes, I will modify aliveness-tracking code to tolerate this situation. Otherwise will add a DCHECK in ~PaintController to fail if not committed.
,
Jun 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8869774caff4ff15a7f3712a0ea7e616e3c8ed40 commit 8869774caff4ff15a7f3712a0ea7e616e3c8ed40 Author: wangxianzhu <wangxianzhu@chromium.org> Date: Fri Jun 03 03:27:37 2016 Handle uncommitted PaintController in DisplayItemClient aliveness tracking crbug.com/616700 is a case that PaintController is not committed before destructed. Recent crash reports [1] also show crashes in DisplayItemClient::~DisplayItemClient() not during painting, indicating that we may have uncommitted PaintController when painting finishes. Though uncommitted PaintController might be still a problem, this patch tolerate the situation in DisplayItemClient aliveness tracking by clearing the should-keep-alive registry when PaintController is destructed and after a synchronized painting. [1] https://crash/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3ADisplayItemClient%3A%3A~DisplayItemClient%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D&stbtiq=&reportid=aa1bbf9c00000000&index=3#0 BUG=609218, 616700 Review-Url: https://codereview.chromium.org/2027333004 Cr-Commit-Position: refs/heads/master@{#397616} [modify] https://crrev.com/8869774caff4ff15a7f3712a0ea7e616e3c8ed40/third_party/WebKit/Source/core/frame/FrameView.cpp [modify] https://crrev.com/8869774caff4ff15a7f3712a0ea7e616e3c8ed40/third_party/WebKit/Source/platform/graphics/paint/DisplayItemClient.cpp [modify] https://crrev.com/8869774caff4ff15a7f3712a0ea7e616e3c8ed40/third_party/WebKit/Source/platform/graphics/paint/DisplayItemClient.h [modify] https://crrev.com/8869774caff4ff15a7f3712a0ea7e616e3c8ed40/third_party/WebKit/Source/platform/graphics/paint/PaintController.h
,
Jun 3 2016
Re: comment #2, it is not a valid situation and you found a gross bug. Please add the DCHECK and leave this test crashing. I'll take a closer look.
,
Jun 3 2016
Here's what's happening: 1) SVGImagePainter begins painting an animated gif 2) BitmapImage::draw gets called for the animated gif 3) After drawing the gif, BitmapImage::draw kicks the animation timeline forward 4) If the timing is just right, this synchronously starts a new frame and all image observers are notified. 5) LayoutObject::imageChanged is called which frees the svg filter resource in the middle of painting and leads to this strange situation. We shouldn't have layout invalidation occurring during paint so this may be a more general bug.
,
Jun 5 2016
See also: Issue 426882 and issue 505444 . Regards, /the bug database
,
Jun 6 2016
Issue 426882 has been merged into this issue.
,
Jun 6 2016
,
Jun 6 2016
I think this bug may also be the source of painting with invalid layout that we have always had trouble tracking down. This bug definitely affects html too.
,
Jun 6 2016
,
Jun 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/45eef1a2a0f721e6782c4c92b28de3835f94ec46 commit 45eef1a2a0f721e6782c4c92b28de3835f94ec46 Author: pdr <pdr@chromium.org> Date: Mon Jun 06 22:33:28 2016 Prevent synchronous image change notifications during paint Image changed notifications are used by animated images to notify LayoutObject clients that they need to repaint. These notifications typically result in paint invalidations. Animated bitmap images have some logic[1] to handle "falling behind" which would synchronously fire image changed notifications during paint. This results in missed paint invalidations as well as a changing layout tree out from under the paint system. This patch moves the synchronous image change notifications to an immediate task which occurs after paint has completed. [1] When painting animated gifs on a heavily loaded system (or a debug build), pauses in the system can cause the animation to get behind. When this happens, we want to advance the animation and catch-up but prevent the next frame from using the same catch-up logic which could get us in an infinite catch-up loop. BUG= 616700 Review-Url: https://codereview.chromium.org/2038243002 Cr-Commit-Position: refs/heads/master@{#398147} [modify] https://crrev.com/45eef1a2a0f721e6782c4c92b28de3835f94ec46/third_party/WebKit/LayoutTests/TestExpectations [modify] https://crrev.com/45eef1a2a0f721e6782c4c92b28de3835f94ec46/third_party/WebKit/Source/core/layout/LayoutObject.cpp [modify] https://crrev.com/45eef1a2a0f721e6782c4c92b28de3835f94ec46/third_party/WebKit/Source/platform/graphics/BitmapImage.cpp [modify] https://crrev.com/45eef1a2a0f721e6782c4c92b28de3835f94ec46/third_party/WebKit/Source/platform/graphics/BitmapImage.h
,
Jun 7 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/787e6f742e9fe37f41338c55b1a90c4b16df7c94 commit 787e6f742e9fe37f41338c55b1a90c4b16df7c94 Author: wangxianzhu <wangxianzhu@chromium.org> Date: Tue Jun 07 05:30:28 2016 Check new display item list committed when destructing PaintController BUG= 616700 Review-Url: https://codereview.chromium.org/2038873002 Cr-Commit-Position: refs/heads/master@{#398236} [modify] https://crrev.com/787e6f742e9fe37f41338c55b1a90c4b16df7c94/third_party/WebKit/Source/platform/graphics/paint/PaintController.h
,
Jun 7 2016
Woohoo, go team |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by bugdroid1@chromium.org
, Jun 2 2016