New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 623798 link

Starred by 4 users
Status: Fixed
Owner:
pdr@chromium.org
Closed: Sep 2016
Cc:
pdr@chromium.org
meade@chromium.org
vmp...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

FATAL:LayoutObject.cpp(3193)] Check failed: document().lifecycle().state() != DocumentLifecycle::LifecycleState::InPaint

Project Member Reported by ukai@chromium.org, Jun 28 2016 
Version: 53.0.2781.0 (Developer Build) (64-bit) with dcheck_always_on=1
OS: Linux

What steps will reproduce the problem?
(1) inbox.google.com
(2)
(3)

What is the expected output?

What do you see instead?

sometimes, render process crashed.
[1:1:0628/102116:FATAL:LayoutObject.cpp(3193)] Check failed: document().lifecycle().state() != DocumentLifecycle::LifecycleState::InPaint.
#0 0x7ffff7c961ee base::debug::StackTrace::StackTrace()
#1 0x7ffff7cb6d7b logging::LogMessage::~LogMessage()
#2 0x7fffeaa4081a blink::LayoutObject::imageChanged()
#3 0x7fffea6ec4d5 blink::ImageResource::notifyObservers()
#4 0x7ffff2674816 blink::BitmapImage::internalAdvanceAnimation()
#5 0x7ffff2673fa3 blink::BitmapImage::startAnimation()
#6 0x7ffff26739ed blink::BitmapImage::draw()
#7 0x7ffff268c5df blink::GraphicsContext::drawImage()
#8 0x7fffea8ce42b blink::ImagePainter::paintIntoRect()
#9 0x7fffea8cdf40 blink::ImagePainter::paintReplaced()
#10 0x7fffeaa194de blink::LayoutImage::paintReplaced()
#11 0x7fffea90755f blink::ReplacedPainter::paint()
#12 0x7fffeaa4785e blink::LayoutReplaced::paint()
#13 0x7fffea8ccfd6 blink::ImagePainter::paint()
#14 0x7fffeaa194ee blink::LayoutImage::paint()
#15 0x7fffea8de249 blink::ObjectPainter::paintAllPhasesAtomically()
#16 0x7fffea8b527d blink::BlockPainter::paintChildrenOfFlexibleBox()
#17 0x7fffea8b597d blink::BlockPainter::paintObject()
#18 0x7fffea9a2a3e blink::LayoutBlock::paintObject()
#19 0x7fffea8b4a2f blink::BlockPainter::paint()
#20 0x7fffea9a2a1e blink::LayoutBlock::paint()
#21 0x7fffea8f566f blink::PaintLayerPainter::paintFragmentWithPhase()
#22 0x7fffea8f57e0 blink::PaintLayerPainter::paintForegroundForFragmentsWithPhase()
#23 0x7fffea8f44e9 blink::PaintLayerPainter::paintForegroundForFragments()
#24 0x7fffea8f36d6 blink::PaintLayerPainter::paintLayerContents()
#25 0x7fffea8f26c4 blink::PaintLayerPainter::paintLayerContentsAndReflection()
#26 0x7fffea8f1b38 blink::PaintLayerPainter::paintLayer()
#27 0x7fffea8f42ab blink::PaintLayerPainter::paintChildren()
#28 0x7fffea8f3723 blink::PaintLayerPainter::paintLayerContents()
#29 0x7fffeaaaf32a blink::CompositedLayerMapping::doPaintTask()
#30 0x7fffeaab01ad blink::CompositedLayerMapping::paintContents()
#31 0x7ffff2690701 blink::GraphicsLayer::paintWithoutCommit()
#32 0x7ffff2690227 blink::GraphicsLayer::paint()
#33 0x7fffea744864 blink::FrameView::synchronizedPaintRecursively()
#34 0x7fffea7448db blink::FrameView::synchronizedPaintRecursively()
#35 0x7fffea7448db blink::FrameView::synchronizedPaintRecursively()
#36 0x7fffea7448db blink::FrameView::synchronizedPaintRecursively()
#37 0x7fffea7448db blink::FrameView::synchronizedPaintRecursively()
#38 0x7fffea7448db blink::FrameView::synchronizedPaintRecursively()
#39 0x7fffea744184 blink::FrameView::synchronizedPaint()
#40 0x7fffea743693 blink::FrameView::updateLifecyclePhasesInternal()
#41 0x7fffea89134a blink::PageAnimator::updateAllLifecyclePhases()
#42 0x7ffff242e88f blink::WebViewImpl::updateAllLifecyclePhases()
#43 0x7ffff5dce141 content::RenderWidgetCompositor::UpdateLayerTreeHost()
#44 0x7ffff49b2476 cc::ProxyMain::BeginMainFrame()
#45 0x7ffff49c5b81 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0ELm1EEEENS0_9BindStateINS0_15RunnableAdapterIMN2cc9ProxyMainEFvSt10unique_ptrINS6_28BeginMai
nFrameAndCommitStateESt14default_deleteIS9_EEEEEFvPS7_SC_EJRNS_7WeakPtrIS7_EENS0_13PassedWrapperISC_EEEEELb1EFvvEE3RunEPNS0_13BindStateBaseE
#46 0x7ffff7c97429 base::debug::TaskAnnotator::RunTask()
#47 0x7fffedab89b7 scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#48 0x7fffedab7735 scheduler::TaskQueueManager::DoWork()
#49 0x7ffff7c97429 base::debug::TaskAnnotator::RunTask()
#50 0x7ffff7cc1685 base::MessageLoop::RunTask()
#51 0x7ffff7cc19b8 base::MessageLoop::DeferOrRunPendingTask()
#52 0x7ffff7cc1d4b base::MessageLoop::DoWork()
#53 0x7ffff7cc367e base::MessagePumpDefault::Run()
#54 0x7ffff7cc1171 base::MessageLoop::RunHandler()
#55 0x7ffff7cf0290 base::RunLoop::Run()
#56 0x7ffff7cc01a0 base::MessageLoop::Run()
#57 0x7ffff5e7bc0c content::RendererMain()
#58 0x7ffff5f8f96e content::RunZygote()
#59 0x7ffff5f90212 content::RunNamedProcessTypeMain()
#60 0x7ffff5f90c63 content::ContentMainRunnerImpl::Run()
#61 0x7ffff5f8f530 content::ContentMain()

Received signal 6
#0 0x7ffff7c95d77 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#1 0x7fffeffb8330 <unknown>
#2 0x7fffee97bc37 gsignal
#3 0x7fffee97f028 abort
#4 0x7ffff7c94662 base::debug::BreakDebugger()
#5 0x7ffff7cb703a logging::LogMessage::~LogMessage()
#6 0x7fffeaa4081a blink::LayoutObject::imageChanged()
#7 0x7fffea6ec4d5 blink::ImageResource::notifyObservers()
#8 0x7ffff2674816 blink::BitmapImage::internalAdvanceAnimation()
#9 0x7ffff2673fa3 blink::BitmapImage::startAnimation()
#10 0x7ffff26739ed blink::BitmapImage::draw()
#11 0x7ffff268c5df blink::GraphicsContext::drawImage()
#12 0x7fffea8ce42b blink::ImagePainter::paintIntoRect()
#13 0x7fffea8cdf40 blink::ImagePainter::paintReplaced()
#14 0x7fffeaa194de blink::LayoutImage::paintReplaced()
#15 0x7fffea90755f blink::ReplacedPainter::paint()
#16 0x7fffeaa4785e blink::LayoutReplaced::paint()
#17 0x7fffea8ccfd6 blink::ImagePainter::paint()
#18 0x7fffeaa194ee blink::LayoutImage::paint()
#19 0x7fffea8de249 blink::ObjectPainter::paintAllPhasesAtomically()
#20 0x7fffea8b527d blink::BlockPainter::paintChildrenOfFlexibleBox()
#21 0x7fffea8b597d blink::BlockPainter::paintObject()
#22 0x7fffea9a2a3e blink::LayoutBlock::paintObject()
#23 0x7fffea8b4a2f blink::BlockPainter::paint()
#24 0x7fffea9a2a1e blink::LayoutBlock::paint()
#25 0x7fffea8f566f blink::PaintLayerPainter::paintFragmentWithPhase()
#26 0x7fffea8f57e0 blink::PaintLayerPainter::paintForegroundForFragmentsWithPhase()
#27 0x7fffea8f44e9 blink::PaintLayerPainter::paintForegroundForFragments()
#28 0x7fffea8f36d6 blink::PaintLayerPainter::paintLayerContents()
#29 0x7fffea8f26c4 blink::PaintLayerPainter::paintLayerContentsAndReflection()
#30 0x7fffea8f1b38 blink::PaintLayerPainter::paintLayer()
#31 0x7fffea8f42ab blink::PaintLayerPainter::paintChildren()
#32 0x7fffea8f3723 blink::PaintLayerPainter::paintLayerContents()
#33 0x7fffeaaaf32a blink::CompositedLayerMapping::doPaintTask()
#34 0x7fffeaab01ad blink::CompositedLayerMapping::paintContents()
#35 0x7ffff2690701 blink::GraphicsLayer::paintWithoutCommit()
#36 0x7ffff2690227 blink::GraphicsLayer::paint()
#37 0x7fffea744864 blink::FrameView::synchronizedPaintRecursively()
#38 0x7fffea7448db blink::FrameView::synchronizedPaintRecursively()
#39 0x7fffea7448db blink::FrameView::synchronizedPaintRecursively()
#40 0x7fffea7448db blink::FrameView::synchronizedPaintRecursively()
#41 0x7fffea7448db blink::FrameView::synchronizedPaintRecursively()
#42 0x7fffea7448db blink::FrameView::synchronizedPaintRecursively()
#43 0x7fffea744184 blink::FrameView::synchronizedPaint()
#44 0x7fffea743693 blink::FrameView::updateLifecyclePhasesInternal()
#45 0x7fffea89134a blink::PageAnimator::updateAllLifecyclePhases()
#46 0x7ffff242e88f blink::WebViewImpl::updateAllLifecyclePhases()
#47 0x7ffff5dce141 content::RenderWidgetCompositor::UpdateLayerTreeHost()
#48 0x7ffff49b2476 cc::ProxyMain::BeginMainFrame()
#49 0x7ffff49c5b81 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0ELm1EEEENS0_9BindStateINS0_15RunnableAdapterIMN2cc9ProxyMainEFvSt10unique_ptrINS6_28BeginMai
nFrameAndCommitStateESt14default_deleteIS9_EEEEEFvPS7_SC_EJRNS_7WeakPtrIS7_EENS0_13PassedWrapperISC_EEEEELb1EFvvEE3RunEPNS0_13BindStateBaseE
#50 0x7ffff7c97429 base::debug::TaskAnnotator::RunTask()
#51 0x7fffedab89b7 scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#52 0x7fffedab7735 scheduler::TaskQueueManager::DoWork()
#53 0x7ffff7c97429 base::debug::TaskAnnotator::RunTask()
#54 0x7ffff7cc1685 base::MessageLoop::RunTask()
#55 0x7ffff7cc19b8 base::MessageLoop::DeferOrRunPendingTask()
#56 0x7ffff7cc1d4b base::MessageLoop::DoWork()
#57 0x7ffff7cc367e base::MessagePumpDefault::Run()
#58 0x7ffff7cc1171 base::MessageLoop::RunHandler()
#59 0x7ffff7cf0290 base::RunLoop::Run()
#60 0x7ffff7cc01a0 base::MessageLoop::Run()
#61 0x7ffff5e7bc0c content::RendererMain()
  r8: ffff9ec83d089018  r9: ffff9ec83d089008 r10: 0000000000000008 r11: 0000000000000202
 r12: 00007fffffff9450 r13: 00007fffffff9600 r14: 00007fffffff9460 r15: 00007fffffff9450
  di: 0000000000000001  si: 0000000000000001  bp: 0000000000000000  bx: 0000000000000000
  dx: 0000000000000006  ax: 0000000000000000  cx: ffffffffffffffff  sp: 00007fffffff8eb8
  ip: 00007fffee97bc37 efl: 0000000000000202 cgf: 0000000000000033 erf: 0000000000000000
 trp: 0000000000000001 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]



Please use labels and text to provide additional information.
https://chromium.googlesource.com/chromium/src/+/45eef1a2a0f721e6782c4c92b28de3835f94ec46 ?

Comment 1 by pdr@chromium.org, Jun 29 2016 

Do you know any way to get this to trigger reliably? I see that there's a codepath that could trigger this, but I can't get it to hit.

Comment 2 by e...@chromium.org, Jul 6 2016

Components: -Blink>Layout Blink>Paint
This looks to be entirely in paint code and pdr has already started looking into it. Reassigning.

Comment 3 by chrishtr@chromium.org, Jul 8 2016

Owner: pdr@chromium.org
Status: Assigned (was: Untriaged)
pdr, didn't you fix this code path with https://blink.lc/chromium/commit/?id=45eef1a2a0f721e6782c4c92b28de3835f94ec46 ?

Comment 4 by pdr@chromium.org, Jul 8 2016 

I added this assert but it just catches a longstanding issue in our image paint code. I fixed the largest class of them in https://blink.lc/chromium/commit/?id=45eef1a2a0f721e6782c4c92b28de3835f94ec46 but it looks like there's another codepath that can cause this to be hit. I'm pretty sure it's another bug.

Lets leave this assigned to me, but as a P3. If anyone finds a reliable repro, please do attach it.

Comment 5 by meade@chromium.org, Aug 16 2016 

I found a repro in a website! I haven't tried to minimize it, but I can consistently reproduce the problem on this website.
The Sun-Herald City2Surf presented by Westpac_files.zip
9.4 MB Download
The Sun-Herald City2Surf presented by Westpac.html
234 KB View Download

Comment 6 by meade@chromium.org, Aug 16 2016

Cc: meade@chromium.org

Comment 7 by pdr@chromium.org, Aug 19 2016

Status: Started (was: Assigned)
Thanks meade!

I was able to make a minimized testcase.
crashgif.html
382 bytes View Download
crashgif.gif
113 bytes View Download
Project Member

Comment 8 by bugdroid1@chromium.org, Aug 23 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3061da90a5ca1b28236970872257183d728bdf94

commit 3061da90a5ca1b28236970872257183d728bdf94
Author: pdr <pdr@chromium.org>
Date: Tue Aug 23 00:30:54 2016

Remove redundant bitmap animation loop check: m_repetitionsComplete

While working on  https://crbug.com/623798  I noticed this check will
always be true due to incrementing m_repetitionsComplete a few lines
up.

Split out from the other patch for simplicity. This line of code was
added in https://src.chromium.org/viewvc/blink?view=rev&revision=186217.

BUG= 623798 

Review-Url: https://codereview.chromium.org/2259083003
Cr-Commit-Position: refs/heads/master@{#413604}

[modify] https://crrev.com/3061da90a5ca1b28236970872257183d728bdf94/third_party/WebKit/Source/platform/graphics/BitmapImage.cpp
Project Member

Comment 9 by bugdroid1@chromium.org, Aug 23 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/80ec545afbc7a952f201d6146612dffd4014fa18

commit 80ec545afbc7a952f201d6146612dffd4014fa18
Author: pdr <pdr@chromium.org>
Date: Tue Aug 23 18:07:42 2016

Prevent synchronous layout while painting the last frame of a gif

This patch is a followup to [1] and removes another synchronous layout
in the animated gif painting code.

If an animated gif is behind, BitmapImage::startAnimation will advance
the animation until it catches up. This process is called "skipping
frames" and it should not cause a synchronous layout because it will
occur during paint. This patch fixes a bug when skipping frames hit
the last frame of a non-looping gif. Before this patch, we would
synchronously notify observers when the last frame was hit which would
end up causing a layout. With this patch, we now defer the
last-frame-needs-paint notification until paint is done.

An enum has been added for the skippingFrames mode which may make it
easier to understand.

[1] https://crrev.com/45eef1a2a0f721e6782c4c92b28de3835f94ec46

BUG= 623798 

Review-Url: https://codereview.chromium.org/2262493003
Cr-Commit-Position: refs/heads/master@{#413784}

[modify] https://crrev.com/80ec545afbc7a952f201d6146612dffd4014fa18/third_party/WebKit/LayoutTests/SlowTests
[add] https://crrev.com/80ec545afbc7a952f201d6146612dffd4014fa18/third_party/WebKit/LayoutTests/paint/images/animated-gif-last-frame-crash.html
[add] https://crrev.com/80ec545afbc7a952f201d6146612dffd4014fa18/third_party/WebKit/LayoutTests/paint/images/resources/three_frame_100ms.gif
[modify] https://crrev.com/80ec545afbc7a952f201d6146612dffd4014fa18/third_party/WebKit/Source/platform/graphics/BitmapImage.cpp
[modify] https://crrev.com/80ec545afbc7a952f201d6146612dffd4014fa18/third_party/WebKit/Source/platform/graphics/BitmapImage.h

Comment 10 by pdr@chromium.org, Sep 12 2016

Status: Fixed (was: Started)

Sign in to add a comment