New issue
Advanced search Search tips

Issue 648854 link

Starred by 1 user
Status: WontFix
Owner:
wangxianzhu@chromium.org
Closed: Oct 2017
Cc:
chrishtr@chromium.org
vmp...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , All , Mac
Pri: 3
Type: Bug



Sign in to add a comment

Iframe paints a pair of transforms that change on move of paint invalidation container

Project Member Reported by ClusterFuzz, Sep 21 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4565897983557632

Fuzzer: mbarbella_js_mutation_layout
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: CHECK failure
Crash Address: 
Crash State:
  false in PaintController.cpp
  blink::PaintController::checkUnderInvalidation
  blink::PaintController::processNewItem
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_content_shell&range=419396:419475

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv970RgGdJjFVO-PS2oY1wTbCOD732tfpCPGqKGYBFvsjd5O5i45Ylk2opOu6lgifgisuDXMWRZTXwouLATkgEvaYWNedNW-OkuVACam_pz_NxEdNHyrz7tpaJRnOjLn0ZOgiJ40Zm9-cfyV55n3IE1RUmXsenA?testcase_id=4565897983557632


Issue manually filed by: brajkumar

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by brajkumar@chromium.org, Sep 21 2016

Components: Blink>Paint
Labels: -Type-Bug M-55 Te-Logged Type-Bug-Regression
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Untriaged)
Through code search on file "PaintController.cpp" from frame #2 suspecting the below change
Review URL: https://codereview.chromium.org/2328413002

wangxianzhu@ - Observed some recent changes on this file, so assigning to you. Could you please check if this is caused with respect to this change, if not please help us in reassign the issue to the right owner.

Note: There was a similar  issue 645225  with same crash state which got fixed recently on Linux. But again it got regressed on windows 419396:419475 so filing a new one. If it's the same issue please feel free to merge in to it.

Thanks!

Comment 2 by wangxianzhu@chromium.org, Sep 22 2016

Cc: chrishtr@chromium.org
Labels: -Pri-1 -M-55 Pri-3
Summary: Iframe paints a pair of transforms that change on move of paint invalidation container (was: false in PaintController.cpp)
This "under-invalidation" is actually harmless. It's because we paint iframes with two transforms which each may change when the iframe moves but their combination doesn't change (which happens in the test case when the paint invalidation container of the iframe is moved):

Old:
{index: 2, client: "0x172a73e149c8 LayoutIFrame IFRAME", type: "BeginTransform", transform: [1.000000,0.000000,0.000000,1.000000,-49.000000,79.000000], cacheIsValid: true, visualRect: [0,0 154x204]},
{index: 3, client: "0x172a73e04388 LayoutView #document", type: "BeginTransform", transform: [1.000000,0.000000,0.000000,1.000000,51.000000,-77.000000], cacheIsValid: false, visualRect: [2,2 150x200]},

New:
{index: 2, client: "0x172a73e149c8 LayoutIFrame IFRAME", type: "BeginTransform", transform: [1.000000,0.000000,0.000000,1.000000,-49.000000,-221.000000], cacheIsValid: true},
{index: 3, client: "0x172a73e04388 LayoutView #document", type: "BeginTransform", transform: [1.000000,0.000000,0.000000,1.000000,51.000000,223.000000], cacheIsValid: false},

Both pair of transforms are effectively a transform of translate(2, 2).

Related code is at: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/paint/PartPainter.cpp?rcl=0&l=110.

Will check how this works and if the transforms are harmful on spv2.
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by ClusterFuzz, Dec 22 2016

Status: WontFix (was: Assigned)
ClusterFuzz testcase 4565897983557632 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 5 by wangxianzhu@chromium.org, Dec 22 2016

Labels: -Te-Logged -OS-Windows -Stability-Crash -Reproducible -Clusterfuzz -Type-Bug-Regression OS-All Type-Bug
Status: Assigned (was: WontFix)
Project Member

Comment 6 by ClusterFuzz, Mar 16 2017

Labels: OS-Windows OS-Mac OS-Linux

Comment 7 by wangxianzhu@chromium.org, Oct 11 2017

Status: WontFix (was: Assigned)
It seems that we no longer generate the pair of translations for iframes.

Sign in to add a comment