ASSERTION FAILED: object.isBox() (was Crash in WTF::StringImpl::hash) |
|||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6500767995527168 Fuzzer: inferno_twister Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x0000000b Crash State: WTF::StringImpl::hash WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,blink::Member<blink::Nt blink::SVGElement::cssPropertyIdForSVGAttributeName Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=411875:411885 Minimized Testcase (2.53 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94fiuEz6kWPrzZxIDXsB8iFZJmsrZ19vj9NdqgPtj-OO8KYIHNhoCv3YqZC_uoB2zIlx5lB0EOWOCS0MVS2NuEDW3-dlBVrvDzFBsd_3iwVYB9oZesXbodQi1UtY9atPfuChTV__XvEncTqG-D_-o0K4P4ggQ?testcase_id=6500767995527168 Additional requirements: Requires HTTP Issue manually filed by: ajha See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 16 2016
The call stack here doesn't make any sense, it does: PaintInvalidationState::updateForNormalChildren -> LayoutBox::clippingRect -> SVGElement::collectStyleForPresentationAttribute. I'm looking at that patch and it shouldn't change behavior which makes me wonder if this is an older crash that I just changed the stack of?
,
Aug 16 2016
This is actually a bad cast in the paint code, it crashes in blink::toLayoutBox in a debug build. [471:471:0816/083436:598460889325:INFO:CONSOLE(0)] "SVG's SMIL animations (<animate>, <set>, etc.) are deprecated and will be removed. Please use CSS animations or Web animations instead.", source: (0) ASSERTION FAILED: object.isBox() ../../third_party/WebKit/Source/core/layout/LayoutBox.h(1130) : const blink::LayoutBox &blink::toLayoutBox(const blink::LayoutObject &) 1 0x7efd87e756e6 2 0x7efd87fdcdfb blink::PaintInvalidationState::updateForNormalChildren() 3 0x7efd87fdca65 blink::PaintInvalidationState::updateForChildren(blink::PaintInvalidationReason) 4 0x7efd880c1c04 blink::LayoutObject::invalidateTreeIfNeeded(blink::PaintInvalidationState const&) 5 0x7efd880c1caa blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) 6 0x7efd8802ef77 blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) 7 0x7efd88047874 blink::LayoutBoxModelObject::invalidateTreeIfNeeded(blink::PaintInvalidationState const&) 8 0x7efd880c1caa blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) 9 0x7efd8802ef77 blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) 10 0x7efd88047874 blink::LayoutBoxModelObject::invalidateTreeIfNeeded(blink::PaintInvalidationState const&) 11 0x7efd880c1caa blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) 12 0x7efd8802ef77 blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) 13 0x7efd88047874 blink::LayoutBoxModelObject::invalidateTreeIfNeeded(blink::PaintInvalidationState const&) 14 0x7efd880c1caa blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) 15 0x7efd8802ef77 blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) 16 0x7efd88047874 blink::LayoutBoxModelObject::invalidateTreeIfNeeded(blink::PaintInvalidationState const&) 17 0x7efd87bfb735 18 0x7efd87beadae blink::FrameView::invalidateTreeIfNeeded(blink::PaintInvalidationState const&) 19 0x7efd87bf3b0c blink::FrameView::invalidateTreeIfNeededRecursiveInternal() 20 0x7efd87bf221b blink::FrameView::invalidateTreeIfNeededRecursive() 21 0x7efd87bf135b blink::FrameView::updateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState) 22 0x7efd87bf0d22 blink::FrameView::updateAllLifecyclePhases() 23 0x7efd87e2256a blink::PageAnimator::updateAllLifecyclePhases(blink::LocalFrame&) 24 0x7efd8aaa2cb5 25 0x7efd8ab8c0c8 blink::WebViewImpl::updateAllLifecyclePhases() 26 0x7efd93226aca content::RenderWidget::UpdateVisualState() 27 0x7efd9307a80a content::RenderWidgetCompositor::UpdateLayerTreeHost() 28 0x7efd8e1d023d cc::LayerTreeHost::RequestMainFrameUpdate() 29 0x7efd8e2955cb cc::ProxyMain::BeginMainFrame(std::unique_ptr<cc::BeginMainFrameAndCommitState, std::default_delete<cc::BeginMainFrameAndCommitState> >) 30 0x7efd8e2c2cc8 31 0x7efd8e2c2b9f
,
Aug 16 2016
,
Aug 16 2016
PaintInvalidationState::updateForNormalChildren looks a bit fishy (wrt isSVG) at a quick read - I take it the TC has a <foreignObject> or a <text> w/ a 'clip related' property?
,
Aug 16 2016
,
Aug 16 2016
s/has a/has something else than a/
,
Aug 16 2016
This is caused by recent change above the toLayoutBox() call from hasOverflowClip to hasClipRelatedProperty() (https://chromium.googlesource.com/chromium/src/+/3d30a67e378ec3fcaac5809305584bbabca88e18). I'm taking it as chrishtr@ is on vacation.
,
Aug 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8eaf8ebd391c7f6aae667015a940273a917efa9a commit 8eaf8ebd391c7f6aae667015a940273a917efa9a Author: wangxianzhu <wangxianzhu@chromium.org> Date: Tue Aug 16 20:27:24 2016 Fix bad cast in PaintInvalidationState::updateForNormalChildren() BUG= 638144 Review-Url: https://codereview.chromium.org/2254433004 Cr-Commit-Position: refs/heads/master@{#412327} [add] https://crrev.com/8eaf8ebd391c7f6aae667015a940273a917efa9a/third_party/WebKit/LayoutTests/paint/invalidation/svg-clip-crash-expected.txt [add] https://crrev.com/8eaf8ebd391c7f6aae667015a940273a917efa9a/third_party/WebKit/LayoutTests/paint/invalidation/svg-clip-crash.svg [modify] https://crrev.com/8eaf8ebd391c7f6aae667015a940273a917efa9a/third_party/WebKit/Source/core/layout/PaintInvalidationState.cpp
,
Aug 16 2016
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ajha@chromium.org
, Aug 16 2016Components: Tools>Test>FindIt>NoResult
Labels: M-54 Te-Logged
Owner: esprehn@chromium.org
Status: Assigned (was: Untriaged)