Issue 624784 link

Starred by 3 users

Issue metadata

Status:	Fixed
Owner:	█ msten...@opera.com NOT IN USE
Closed:	Nov 2016
Components:	Blink>Layout>MultiCol
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	3
Type:	Bug
TE-NeedsTriageFromMTV

ASSERTION FAILED: !flowThreadOffset() in blink::ColumnBalancer::traverse

Reported by hodovan....@gmail.com, Jun 30 2016

Issue description

Chrome Version: Chromium 53.0.2782.0 
OS: Ubuntu 15.10, x86_64

What steps will reproduce the problem?
1. Load the attached test case with debug content_shell.

<!DOCTYPE html>
<style>
* {
    height: 801971534%;
    column-width: 63cm;
    transform: rotateZ(270deg);
}
</style>
<a>
    <dl></dl>
    <table>
        <tfoot>
            <tr>
                <td></td>
            </tr>
        </tfoot>
    </table>
</a>


What is the expected result?
Run the test without any failure.

Backtrace:

ASSERTION FAILED: !flowThreadOffset()
../../third_party/WebKit/Source/core/layout/ColumnBalancer.cpp(23) : void blink::ColumnBalancer::traverse()
1   0x7f25df5ab613 WTFReportBacktrace(int)
2   0x7f25e31b327a
3   0x7f25e31b4d1a
4   0x7f25e38a1958
5   0x7f25e366f961 blink::LayoutMultiColumnSet::recalculateColumnHeight()
6   0x7f25e3670437 blink::LayoutMultiColumnSet::layout()
7   0x7f25e330e9ed blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&)
8   0x7f25e331006e blink::LayoutBlockFlow::layoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&)
9   0x7f25e3325fed blink::LayoutBlockFlow::layoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit)
10  0x7f25e335d2d7
11  0x7f25e330a0c1 blink::LayoutBlockFlow::layoutBlock(bool)
12  0x7f25e32b1927 blink::LayoutBlock::layout()
13  0x7f25e330e9ed blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&)
14  0x7f25e331006e blink::LayoutBlockFlow::layoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&)
15  0x7f25e3325fed blink::LayoutBlockFlow::layoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit)
16  0x7f25e335d2d7
17  0x7f25e330a0c1 blink::LayoutBlockFlow::layoutBlock(bool)
18  0x7f25e32b1927 blink::LayoutBlock::layout()
19  0x7f25e3533b3a blink::LayoutFlowThread::layout()
20  0x7f25e366022c blink::LayoutMultiColumnFlowThread::layout()
21  0x7f25e3658a9f blink::LayoutMultiColumnFlowThread::layoutColumns(blink::SubtreeLayoutScope&)
22  0x7f25e3305934 blink::LayoutBlockFlow::layoutSpecialExcludedChild(bool, blink::SubtreeLayoutScope&)
23  0x7f25e3325a71 blink::LayoutBlockFlow::layoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit)
24  0x7f25e335d2d7
25  0x7f25e330a0c1 blink::LayoutBlockFlow::layoutBlock(bool)
26  0x7f25e32b1927 blink::LayoutBlock::layout()
27  0x7f25e330e9ed blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&)
28  0x7f25e331006e blink::LayoutBlockFlow::layoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&)
29  0x7f25e3325fed blink::LayoutBlockFlow::layoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit)
30  0x7f25e335d2d7
31  0x7f25e330a0c1 blink::LayoutBlockFlow::layoutBlock(bool)
ASAN:DEADLYSIGNAL
=================================================================
==7420==ERROR: AddressSanitizer: SEGV on unknown address 0x00009f7537dd (pc 0x7f25e31b3281 bp 0x7f24131c32b0 sp 0x7f24131c3220 T22)
==7420==The signal is caused by a READ memory access.
    #0 0x7f25e31b3280 in blink::ColumnBalancer::traverse() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/ColumnBalancer.cpp:23 (discriminator 4)
    #1 0x7f25e31b4d19 in blink::InitialColumnHeightFinder::InitialColumnHeightFinder(blink::LayoutMultiColumnSet const&, blink::LayoutUnit, blink::LayoutUnit) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/ColumnBalancer.cpp:91
    #2 0x7f25e38a1957 in blink::MultiColumnFragmentainerGroup::recalculateColumnHeight(blink::LayoutMultiColumnSet&) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/MultiColumnFragmentainerGroup.cpp:78 (discriminator 2)
    #3 0x7f25e366f960 in blink::LayoutMultiColumnSet::recalculateColumnHeight() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutMultiColumnSet.cpp:320
    #4 0x7f25e3670436 in blink::LayoutMultiColumnSet::layout() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutMultiColumnSet.cpp:365
    #5 0x7f25e330e9ec in blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:654
    #6 0x7f25e331006d in blink::LayoutBlockFlow::layoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:704 (discriminator 1)
    #7 0x7f25e3325fec in blink::LayoutBlockFlow::layoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1189
    #8 0x7f25e335d2d6 in blink::LayoutBlockFlow::layoutBlockFlow(bool, blink::LayoutUnit&, blink::SubtreeLayoutScope&) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:471 (discriminator 2)
    #9 0x7f25e330a0c0 in blink::LayoutBlockFlow::layoutBlock(bool) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:389
    #10 0x7f25e32b1926 in blink::LayoutBlock::layout() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:366
    #11 0x7f25e330e9ec in blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:654
    #12 0x7f25e331006d in blink::LayoutBlockFlow::layoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:704 (discriminator 1)
    #13 0x7f25e3325fec in blink::LayoutBlockFlow::layoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1189
    #14 0x7f25e335d2d6 in blink::LayoutBlockFlow::layoutBlockFlow(bool, blink::LayoutUnit&, blink::SubtreeLayoutScope&) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:471 (discriminator 2)
    #15 0x7f25e330a0c0 in blink::LayoutBlockFlow::layoutBlock(bool) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:389
    #16 0x7f25e32b1926 in blink::LayoutBlock::layout() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:366
    #17 0x7f25e3533b39 in blink::LayoutFlowThread::layout() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutFlowThread.cpp:114
    #18 0x7f25e366022b in blink::LayoutMultiColumnFlowThread::layout() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp:989
    #19 0x7f25e3658a9e in blink::LayoutMultiColumnFlowThread::layoutColumns(blink::SubtreeLayoutScope&) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp:455
    #20 0x7f25e3305933 in blink::LayoutBlockFlow::layoutSpecialExcludedChild(bool, blink::SubtreeLayoutScope&) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:210
    #21 0x7f25e3325a70 in blink::LayoutBlockFlow::layoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1149
    #22 0x7f25e335d2d6 in blink::LayoutBlockFlow::layoutBlockFlow(bool, blink::LayoutUnit&, blink::SubtreeLayoutScope&) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:471 (discriminator 2)
    #23 0x7f25e330a0c0 in blink::LayoutBlockFlow::layoutBlock(bool) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:389
    #24 0x7f25e32b1926 in blink::LayoutBlock::layout() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:366
    #25 0x7f25e330e9ec in blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:654
    #26 0x7f25e331006d in blink::LayoutBlockFlow::layoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:704 (discriminator 1)
    #27 0x7f25e3325fec in blink::LayoutBlockFlow::layoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1189
    #28 0x7f25e335d2d6 in blink::LayoutBlockFlow::layoutBlockFlow(bool, blink::LayoutUnit&, blink::SubtreeLayoutScope&) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:471 (discriminator 2)
    #29 0x7f25e330a0c0 in blink::LayoutBlockFlow::layoutBlock(bool) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:389
    #30 0x7f25e32b1926 in blink::LayoutBlock::layout() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:366
    #31 0x7f25e3862537 in blink::LayoutView::layoutContent() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutView.cpp:185
    #32 0x7f25e3864566 in blink::LayoutView::layout() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/layout/LayoutView.cpp:261
    #33 0x7f25e4bd1da7 in blink::layoutFromRootObject(blink::LayoutObject&) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/frame/FrameView.cpp:830
    #34 0x7f25e4bd1149 in blink::FrameView::performLayout(bool) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/frame/FrameView.cpp:899 (discriminator 1)
    #35 0x7f25e4bc7d42 in blink::FrameView::layout() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/frame/FrameView.cpp:1051
    #36 0x7f25e5bad8f7 in blink::Document::implicitClose() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/dom/Document.cpp:2641 (discriminator 1)
    #37 0x7f25e5328e80 in blink::FrameLoader::checkCompleted() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/loader/FrameLoader.cpp:626 (discriminator 2)
    #38 0x7f25e5328b4e in blink::FrameLoader::finishedParsing() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/loader/FrameLoader.cpp:544
    #39 0x7f25e5bd1e9b in blink::Document::finishedParsing() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/dom/Document.cpp:4796 (discriminator 1)
    #40 0x7f25e6c8425b in blink::HTMLConstructionSite::finishedParsing() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/html/parser/HTMLConstructionSite.cpp:534 (discriminator 1)
    #41 0x7f25e6dcbd69 in blink::HTMLTreeBuilder::finished() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/html/parser/HTMLTreeBuilder.cpp:2822
    #42 0x7f25e6cb81a0 in blink::HTMLDocumentParser::end() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:809 (discriminator 1)
    #43 0x7f25e6ca3497 in blink::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:822
    #44 0x7f25e6ca2f4d in blink::HTMLDocumentParser::prepareToStopParsing() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:229
    #45 0x7f25e6cb1431 in blink::HTMLDocumentParser::processParsedChunkFromBackgroundParser(std::__1::unique_ptr<blink::HTMLDocumentParser::ParsedChunk, std::__1::default_delete<blink::HTMLDocumentParser::ParsedChunk> >) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:491
    #46 0x7f25e6ca6bf6 in blink::HTMLDocumentParser::pumpPendingSpeculations() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:540 (discriminator 1)
    #47 0x7f25e6ca5c7d in blink::HTMLDocumentParser::resumeParsingAfterYield() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:256
    #48 0x7f25e6d21fc5 in blink::HTMLParserScheduler::continueParsing() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../third_party/WebKit/Source/core/html/parser/HTMLParserScheduler.cpp:159 (discriminator 1)
    #49 0x7f25e6d25e34 in void base::internal::RunnableAdapter<void (blink::HTMLParserScheduler::*)()>::Run<blink::WeakPersistent<blink::HTMLParserScheduler> const&>(blink::WeakPersistent<blink::HTMLParserScheduler> const&) const /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../base/bind_internal.h:187 (discriminator 3)
    #74 0x7f261a5cfb54 in base::MessageLoop::Run() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../base/message_loop/message_loop.cc:295
    #75 0x7f261a9e82bb in base::Thread::Run(base::MessageLoop*) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../base/threading/thread.cc:204
    #76 0x7f261a9e9347 in base::Thread::ThreadMain() /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../base/threading/thread.cc:255
    #77 0x7f261a999605 in base::(anonymous namespace)::ThreadFunc(void*) /mnt/data/b/build/slave/ASAN_Debug/build/src/out/Debug/../../base/threading/platform_thread_posix.cc:70
    #78 0x7f25dba3d6a9 in start_thread /build/glibc-qbmteM/glibc-2.21/nptl/pthread_create.c:333

    ...

test.html
260 bytes View Download

Comment 1 by msrchandra@chromium.org, Jul 1 2016

Labels: TE-NeedsTriageFromMTV

Verified the issue on Latest Stable# 51.0.2704.106 and Latest Dev# 53.0.2783.2 on Ubuntu 14.04 and could not reproduce the issue.
Could some one from MTV Team please verify the issue on Ubuntu 15.10 and update.
Thank You.

Comment 2 by cbiesin...@chromium.org, Jul 18 2016

Components: Blink>Layout>MultiCol

Comment 3 by e...@chromium.org, Jul 18 2016

Cc: msten...@opera.com
Status: Available (was: Unconfirmed)

Comment 4 by msten...@opera.com, Aug 9 2016

Cc: -msten...@opera.com
Owner: msten...@opera.com

Reproduced.

Comment 5 by durga.behera@chromium.org, Aug 25 2016

mstensho@ : Clusterfuzz has detected failure with similar stack traces and its impacting to latest Stable (52.0.2743.116) & Beta (53.0.2785.80).

Please let us know if we need to report this separately or can be updated here.

Comment 6 by msten...@opera.com, Aug 25 2016

Separate bug would be fine. Thanks.

Comment 7 by msten...@opera.com, Nov 3 2016

Status: Fixed (was: Available)

https://codereview.chromium.org/2465363003/ turned out to fix this one.

Comment 8 by msten...@opera.com, Nov 21 2016

 Issue 641616  has been merged into this issue.

►

Issue 624784 link

Issue metadata

ASSERTION FAILED: !flowThreadOffset() in blink::ColumnBalancer::traverse

Issue description

Comment 1 by msrchandra@chromium.org, Jul 1 2016

Comment 1 Deleted

Comment 2 by cbiesin...@chromium.org, Jul 18 2016

Comment 2 Deleted

Comment 3 by e...@chromium.org, Jul 18 2016

Comment 3 Deleted

Comment 4 by msten...@opera.com, Aug 9 2016

Comment 4 Deleted

Comment 5 by durga.behera@chromium.org, Aug 25 2016

Comment 5 Deleted

Comment 6 by msten...@opera.com, Aug 25 2016

Comment 6 Deleted

Comment 7 by msten...@opera.com, Nov 3 2016

Comment 7 Deleted

Comment 8 by msten...@opera.com, Nov 21 2016

Comment 8 Deleted

Sign in to add a comment