Crash in content::RenderWidgetHostViewChildFrame::GetParentView |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4635878100303872 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000006 Crash State: content::RenderWidgetHostViewChildFrame::GetParentView content::RenderWidgetHostInputEventRouter::SendMouseEnterOrLeaveEvents content::RenderWidgetHostInputEventRouter::RouteMouseEvent Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=419110:419128 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94KmV5P2GFDujgjTrkB7smvv7i3ka15zsJHyOMAgPPXtUQPmvP6cgz5f3bN_WWxju6LE21pXnX2VoffGX8J8b9FUursiIJSHgFX6IqHi9M6XyRnX4xBT1EAxXbYpOXOR2clcebqA8eLiYL649ZyP9LiYHQkHw?testcase_id=4635878100303872 Additional requirements: Requires Gestures Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/83e4f9ac895d5b42a4b114f3ef964676a40476ff commit 83e4f9ac895d5b42a4b114f3ef964676a40476ff Author: kenrb <kenrb@chromium.org> Date: Tue Oct 11 20:36:27 2016 Clear last MouseMove root view in RWHIER if that view gets destroyed Cluster-fuzz has reported some difficult-to-reproduce crashes in the MouseEnter/Leave generation code in RenderWidgetHostInputEventRouter, and there are some very sparse crash reports appearing for that also. These might be caused by race conditions from RenderWidgetHostView tree modifications that get slightly out of sync from the Surface state that is used for hit testing (Surfaces aren't invalidated until RWHVs are deleted, which for some RWHVs is not immediate upon them having Destroy() called). This CL speculatively tries to address the crashes by having SendMouseEnterOrLeaveEvents abort when it discovers the RWHV tree out of sync, and also clearing last_mouse_move_root_view_ when that gets destroyed. BUG= 647821 , 652209 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation Review-Url: https://codereview.chromium.org/2396083002 Cr-Commit-Position: refs/heads/master@{#424533} [modify] https://crrev.com/83e4f9ac895d5b42a4b114f3ef964676a40476ff/content/browser/frame_host/render_widget_host_view_child_frame.cc [modify] https://crrev.com/83e4f9ac895d5b42a4b114f3ef964676a40476ff/content/browser/frame_host/render_widget_host_view_child_frame.h [modify] https://crrev.com/83e4f9ac895d5b42a4b114f3ef964676a40476ff/content/browser/renderer_host/render_widget_host_input_event_router.cc [modify] https://crrev.com/83e4f9ac895d5b42a4b114f3ef964676a40476ff/content/browser/renderer_host/render_widget_host_view_base.cc [modify] https://crrev.com/83e4f9ac895d5b42a4b114f3ef964676a40476ff/content/browser/renderer_host/render_widget_host_view_base.h
,
Oct 18 2016
,
Nov 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/68f883645ff0c2f46fa75128af0642e87e7095bd commit 68f883645ff0c2f46fa75128af0642e87e7095bd Author: Ken Buchanan <kenrb@chromium.org> Date: Thu Nov 03 20:54:24 2016 Clear last MouseMove root view in RWHIER if that view gets destroyed Cluster-fuzz has reported some difficult-to-reproduce crashes in the MouseEnter/Leave generation code in RenderWidgetHostInputEventRouter, and there are some very sparse crash reports appearing for that also. These might be caused by race conditions from RenderWidgetHostView tree modifications that get slightly out of sync from the Surface state that is used for hit testing (Surfaces aren't invalidated until RWHVs are deleted, which for some RWHVs is not immediate upon them having Destroy() called). This CL speculatively tries to address the crashes by having SendMouseEnterOrLeaveEvents abort when it discovers the RWHV tree out of sync, and also clearing last_mouse_move_root_view_ when that gets destroyed. BUG= 647821 , 652209 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation Review-Url: https://codereview.chromium.org/2396083002 Cr-Commit-Position: refs/heads/master@{#424533} (cherry picked from commit 83e4f9ac895d5b42a4b114f3ef964676a40476ff) Review URL: https://codereview.chromium.org/2477893002 . Cr-Commit-Position: refs/branch-heads/2883@{#445} Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768} [modify] https://crrev.com/68f883645ff0c2f46fa75128af0642e87e7095bd/content/browser/frame_host/render_widget_host_view_child_frame.cc [modify] https://crrev.com/68f883645ff0c2f46fa75128af0642e87e7095bd/content/browser/frame_host/render_widget_host_view_child_frame.h [modify] https://crrev.com/68f883645ff0c2f46fa75128af0642e87e7095bd/content/browser/renderer_host/render_widget_host_input_event_router.cc [modify] https://crrev.com/68f883645ff0c2f46fa75128af0642e87e7095bd/content/browser/renderer_host/render_widget_host_view_base.cc [modify] https://crrev.com/68f883645ff0c2f46fa75128af0642e87e7095bd/content/browser/renderer_host/render_widget_host_view_base.h
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 22 2016
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Sep 16 2016Labels: M-55 Te-Logged
Owner: kenrb@chromium.org
Status: Assigned (was: Untriaged)