New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 630515 link

Starred by 2 users
Status: Fixed
Owner:
xidac...@chromium.org
Closed: Nov 2016
Cc:
junov@chromium.org
xidac...@chromium.org
tzik@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug

Blocked on:
issue 668848


Sign in to add a comment

Crash in blink::EventTarget::dispatchEvent

Project Member Reported by ClusterFuzz, Jul 22 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5891992748032000

Fuzzer: mbarbella_js_mutation_layout
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000003
Crash State:
  blink::EventTarget::dispatchEvent
  blink::WebGLRenderingContextBase::dispatchContextLostEvent
  blink::Timer<blink::ImageLoader>::fired
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=406809:406906

Minimized Testcase (0.65 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94EpiiLcE_sV3XKejHRKgey-iE4IoNtBmM4YJ9QPF-5zJcmpWhrquTNfaf_Mzu-0Rstw9FzzwT270KX-hMN1afz3jFhO29AYYtflyDy_1Tontncl9WopGxETEEuLZDWG6WKkNKl42Y3wCNAxtHpWXHSe9HOVQ?testcase_id=5891992748032000
<canvas height="100" id="output1">
  <script id="myWorker">

self.onmessage = function() {
    var __v_2 = new OffscreenCanvas(50, 50);
    var __v_4 = __v_2.getContext('webgl');
    __v_4.clear(__v_4.COLOR_BUFFER_BIT);
    var __v_3 = __v_2.transferToImageBitmap();
    self.postMessage({}, [ __v_3]);
};
    testRunner.waitUntilDone();
var blob = new Blob([document.getElementById('myWorker').textContent]);
var worker = new Worker(URL.createObjectURL(blob));
worker.onmessage = function(msg) {
    var __v_7 = document.getElementById("output1");
    var ctx1 = __v_7.getContext('bitmaprenderer');
    worker.postMessage("");
}
worker.postMessage("");
</script>


Filer: brajkumar

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by brajkumar@chromium.org, Jul 22 2016

Labels: -Pri-1 Findit-for-crash Te-Logged Pri-2
Owner: tzik@chromium.org
Status: Assigned (was: Untriaged)
No CL in the regression range changes the crashed files. The result is the blame information.

Author: tzik
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/99de02ba952b0a69291f81c5b8ca14d81cc1f74f
Time: Fri Jul 01 05:54:12 2016
The CL last changed line 164 of file bind_internal.h, which is stack frame 6.

Suspected Project: chromium
=============================
tzik@: Could you please look into this issue if it is related to your change, else please help us in assigning it to the right owner.

Thanks!

Comment 2 by sigbjo...@opera.com, Nov 13 2016

Components: Blink>Canvas Blink>WebGL

Comment 3 by xidac...@chromium.org, Nov 14 2016

Cc: junov@chromium.org tzik@chromium.org
Owner: xidac...@chromium.org
This is likely a bug on OffscreenCanvas, not sure why it is not triaged correctly at the beginning.

Comment 4 by xidac...@chromium.org, Nov 14 2016 

Ah, I know what's going on.

It appears that during this test there is a WebGL context loss, which makes the code go into: blink::WebGLRenderingContextBase::dispatchContextLostEvent. At this moment, OffscreenCanvas cannot handle context-lost event.

This crash bug should be gone with my current on-going CL here:
https://codereview.chromium.org/2490443002/
Project Member

Comment 5 by bugdroid1@chromium.org, Nov 16 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8372014fc16a378fc7452164db9b3b89fbd62909

commit 8372014fc16a378fc7452164db9b3b89fbd62909
Author: xidachen <xidachen@chromium.org>
Date: Wed Nov 16 14:20:08 2016

Make OffscreenCanvas an EventTarget

Right now OffscreenCanvas is not an EventTarget, which means that it
cannot listen to any event such as webgl context lost and restoration.

This CL makes OffscreenCanvas an EventTarget. In order to override the
pure virtual function getExecutionContext in EventTarget, we keep a
Member<ExecutionContext> in OffscreenCanvas.

We also added some layout tests here. In this CL, we only tests webgl
context lost and restoration. The layout tests here should be
upstreamed to khronos group on github later on once the spec for
OffscreenCanvas is landed. Also, notice that the context lost test in
worker verifies that all WebGL's API works in a worker.

Note that the tests we have here is pretty much copied from the webgl's
conformance tests.

BUG= 655270 ,  610759 ,  630515 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2490443002
Cr-Commit-Position: refs/heads/master@{#432478}

[add] https://crrev.com/8372014fc16a378fc7452164db9b3b89fbd62909/third_party/WebKit/LayoutTests/fast/canvas/webgl/offscreenCanvas-context-lost-restored-worker.html
[add] https://crrev.com/8372014fc16a378fc7452164db9b3b89fbd62909/third_party/WebKit/LayoutTests/fast/canvas/webgl/offscreenCanvas-context-lost-restored.html
[add] https://crrev.com/8372014fc16a378fc7452164db9b3b89fbd62909/third_party/WebKit/LayoutTests/fast/canvas/webgl/offscreenCanvas-context-lost-worker.html
[add] https://crrev.com/8372014fc16a378fc7452164db9b3b89fbd62909/third_party/WebKit/LayoutTests/fast/canvas/webgl/offscreenCanvas-context-lost.html
[modify] https://crrev.com/8372014fc16a378fc7452164db9b3b89fbd62909/third_party/WebKit/LayoutTests/http/tests/serviceworker/webexposed/global-interface-listing-service-worker-expected.txt
[modify] https://crrev.com/8372014fc16a378fc7452164db9b3b89fbd62909/third_party/WebKit/LayoutTests/virtual/service-worker-navigation-preload/http/tests/serviceworker/webexposed/global-interface-listing-service-worker-expected.txt
[modify] https://crrev.com/8372014fc16a378fc7452164db9b3b89fbd62909/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-dedicated-worker-expected.txt
[modify] https://crrev.com/8372014fc16a378fc7452164db9b3b89fbd62909/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/8372014fc16a378fc7452164db9b3b89fbd62909/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-shared-worker-expected.txt
[modify] https://crrev.com/8372014fc16a378fc7452164db9b3b89fbd62909/third_party/WebKit/Source/core/events/EventTargetFactory.in
[modify] https://crrev.com/8372014fc16a378fc7452164db9b3b89fbd62909/third_party/WebKit/Source/core/offscreencanvas/OffscreenCanvas.cpp
[modify] https://crrev.com/8372014fc16a378fc7452164db9b3b89fbd62909/third_party/WebKit/Source/core/offscreencanvas/OffscreenCanvas.h
[modify] https://crrev.com/8372014fc16a378fc7452164db9b3b89fbd62909/third_party/WebKit/Source/core/offscreencanvas/OffscreenCanvas.idl
[modify] https://crrev.com/8372014fc16a378fc7452164db9b3b89fbd62909/third_party/WebKit/Source/modules/offscreencanvas/OffscreenCanvasModules.cpp
[modify] https://crrev.com/8372014fc16a378fc7452164db9b3b89fbd62909/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp

Comment 6 by xidac...@chromium.org, Nov 16 2016

Status: Fixed (was: Assigned)

Comment 7 by xidac...@chromium.org, Nov 17 2016

Cc: xidac...@chromium.org
 Issue 666156  has been merged into this issue.
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by kbr@chromium.org, Nov 30 2016

Blockedon: 668848

Sign in to add a comment