New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 658092 link

Starred by 1 user
Status: WontFix
Owner:
nainar@chromium.org
Not on Chrome anymore
Closed: Dec 2016
Cc:
style-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

!node.childNeedsStyleRecalc() in Document.cpp

Project Member Reported by ClusterFuzz, Oct 21 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5108581471092736

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !node.childNeedsStyleRecalc() in Document.cpp
  blink::assertLayoutTreeUpdated
  blink::Document::updateStyleAndLayoutTree
  

Minimized Testcase (3.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94SEeQ3bUTgpKVls-CQhYDA4UYXFCP3n0ErorHCwUd2RD-CXDv_p4pZ5XprpCLa7llQ2iKeIwJszgUELoBjfRVhEoMPpn6HCpuAQVy8LS4U5noh7LQaufs_GzC46tEuyi860DOU3TTjRKdVViUEjHcjbE9h9w?testcase_id=5108581471092736

Additional requirements: Requires HTTP

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by dtapu...@chromium.org, Nov 9 2016

Components: Blink>Loader Blink>Layout

Comment 2 by hirosh...@chromium.org, Nov 10 2016 

[1:1:1109/002631:1617004753732:FATAL:Document.cpp(1818)] Check failed: !node.childNeedsStyleRecalc().
#0 0x0000004d4931 __interceptor_backtrace
#1 0x7f87b4f075ec base::debug::StackTrace::StackTrace()
#2 0x7f87b50952ff logging::LogMessage::~LogMessage()
#3 0x7f8791199295 blink::assertLayoutTreeUpdated()
#4 0x7f879118c379 blink::Document::updateStyleAndLayoutTree()
#5 0x7f87911c9cc2 blink::Document::finishedParsing()
#6 0x7f879295a039 blink::HTMLConstructionSite::finishedParsing()
#7 0x7f8792abc9f6 blink::HTMLTreeBuilder::finished()
#8 0x7f879298e85d blink::HTMLDocumentParser::end()
#9 0x7f87929779b4 blink::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()
#10 0x7f87929774ea blink::HTMLDocumentParser::prepareToStopParsing()
#11 0x7f87929863ec blink::HTMLDocumentParser::processTokenizedChunkFromBackgroundParser()
#12 0x7f879297b15a blink::HTMLDocumentParser::pumpPendingSpeculations()
#13 0x7f879297a24a blink::HTMLDocumentParser::resumeParsingAfterYield()
#14 0x7f8792a03899 blink::HTMLParserScheduler::continueParsing()

I locally reproduced on Linux ToT (r430910), flaky (~25%).

Comment 3 by hirosh...@chromium.org, Nov 10 2016

Components: -Blink>Loader
The ChildNeedsStyleRecalcFlag flag of the first <use> node in the minimized test case is set but not cleared before the assertion.

When Chrome doesn't crash, the flag is cleared in:
#2 0x000009563fb8 blink::Node::clearChildNeedsStyleRecalc()
#3 0x0000095637d1 blink::ContainerNode::attachLayoutTree()
#4 0x0000096a64fd blink::Element::attachLayoutTree()
#5 0x00000afb0e82 blink::SVGElement::attachLayoutTree()
#6 0x000009563771 blink::ContainerNode::attachLayoutTree()
#7 0x0000096a64fd blink::Element::attachLayoutTree()
#8 0x00000afb0e82 blink::SVGElement::attachLayoutTree()
#9 0x000009563771 blink::ContainerNode::attachLayoutTree()
#10 0x0000096a64fd blink::Element::attachLayoutTree()
#11 0x000009563771 blink::ContainerNode::attachLayoutTree()
#12 0x0000096a64fd blink::Element::attachLayoutTree()
#13 0x00000977caf1 blink::Node::reattachLayoutTree()
#14 0x0000096ac42c blink::Element::rebuildLayoutTree()
#15 0x0000096aac6f blink::Element::recalcOwnStyle()
#16 0x0000096a9d6b blink::Element::recalcStyle()
#17 0x0000095f0043 blink::Document::updateStyle()
#18 0x0000095e3eff blink::Document::updateStyleAndLayoutTree()
#19 0x0000096230fb blink::Document::finishedParsing()
#20 0x00000a20e093 blink::HTMLDocumentParser::end()
#21 0x00000a1fa543 blink::HTMLDocumentParser::prepareToStopParsing()
#22 0x00000a204698 blink::HTMLDocumentParser::processTokenizedChunkFromBackgroundParser()
#23 0x00000a1fca4e blink::HTMLDocumentParser::pumpPendingSpeculations()

Looks like a layout issue. Removing Loader component flag.

Comment 4 by skobes@chromium.org, Nov 13 2016

Components: -Blink>Layout Blink>CSS
Owner: nainar@chromium.org
Status: Assigned (was: Untriaged)
@nainar, mind taking a look at this one?

Seems possibly related to the changes in  issue 595137 .
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by nainar@chromium.org, Nov 29 2016 

Sorry it took so long to get back on this. I have been investigating this bug and it seems like we are clearing the childNeedsStyleRecalc bit on use element but setting it again on a later stage. This issue is fixed by a WIP patch (for  bug 595137 ) here: https://codereview.chromium.org/2473743003. 

Will mark the patch as fixing this bug as well.
Project Member

Comment 7 by ClusterFuzz, Dec 29 2016

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5108581471092736 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment