New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 628002 link

Starred by 1 user
Status: Duplicate
Merged: issue 372245
Owner:
dglazkov@chromium.org
OOO until NaN
Closed: Jul 2016
Cc:
f...@opera.com
foolip@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug

Blocking:
issue 586241



Sign in to add a comment

LayoutTextTrackContainer sets inline style during layout

Project Member Reported by ClusterFuzz, Jul 13 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5129818563936256

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !document->needsLayoutTreeUpdate() in WebFrameContentDumper.cpp
  blink::frameContentAsPlainText
  blink::WebFrameContentDumper::deprecatedDumpFrameTreeAsText
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=402064:402065

Minimized Testcase (0.25 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94CrUq06FZBvwwuU8GuPbdIxGc4hrM5pqgfm5nDfFXDDFPy-DnoGuWiM4U4a87Ohe0vFF3T1z26wbR6vJZAK047TMdXIbloC17aFvIS7vMaSZphG54jV2DpB8tQzsGnJK57nrIzU6KQ2zpbISFzX6AdycYE1g?testcase_id=5129818563936256
<style>
html { overflow:hidden }
</style>
<video width="1280"<source src="../../../media/white.webm" type="video/webm">
    <track src="../../../support/voice_long.vtt">
<script>
document.getElementsByTagName('track')[0].track.mode = 'showing';
</script>


Filer: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmohammad@chromium.org, Jul 13 2016

Owner: dglazkov@chromium.org
Status: Assigned (was: Available)
suspected cl : https://chromium.googlesource.com/chromium/src/+/2f8c7fcf0ca7d22c7ef943ea5e3256914bef70f1%5E%21/third_party/WebKit/Source/web/WebFrameContentDumper.cpp

dglazkov@ could you please look into this. Thanks

Comment 2 by dglazkov@chromium.org, Jul 13 2016

Status: Started (was: Assigned)

Comment 3 by dglazkov@chromium.org, Jul 13 2016 

The general issue is that VTT rendering is doing something gnarly here, but I won't know until I get the build and dig into it.

Comment 4 by dglazkov@chromium.org, Jul 14 2016 

Reduced further:

<video src="white.webm">
    <track src="voice_long.vtt" default>
</video>

Comment 5 by dglazkov@chromium.org, Jul 14 2016

Cc: f...@opera.com foolip@chromium.org
We're doing highly illegal stuff in LayoutTextTrackContainer: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/layout/LayoutTextTrackContainer.cpp?rcl=0&l=53

As part of laying out the object, we sometimes set its inline style. Doing this at the layout stage means that after Document::updateStyleAndLayoutTree finishes running, you still have a dirty tree, which in turn trips up my DCHECK. 

This is very old code (pre-Blink), by ways of refactoring through https://codereview.chromium.org/994063003 and https://codereview.chromium.org/988763002. Adding the folks who smuggled this code unchanged into Source/core/layout directory, since they are the closest thing we have to perpetrators :P.

Comment 6 by dglazkov@chromium.org, Jul 14 2016

Components: Blink>Media>Track Blink>Layout
Summary: LayoutTextTrackContainer sets inline style during layout (was: !document->needsLayoutTreeUpdate() in WebFrameContentDumper.cpp)

Comment 7 by dglazkov@chromium.org, Jul 14 2016

Labels: -Restrict-View-EditIssue

Comment 8 by dglazkov@chromium.org, Jul 15 2016

Blocking: 586241

Comment 9 by f...@opera.com, Jul 18 2016 

The things you can do just employing the good old clothespin-on-nose technique... ;-)

We had  issue 372245  for this, so I've set that to block issue 586241. I guess we go ahead and dupe this too if we wanted.

Comment 10 by dglazkov@chromium.org, Jul 18 2016

Mergedinto: 372245
Status: Duplicate (was: Started)
The clothespin is my favorite!

Sign in to add a comment