false. Can't find cached display item in PaintController.cpp |
||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6134555057848320 Fuzzer: inferno_twister Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: false. Can't find cached display item in PaintController.cpp blink::PaintController::findOutOfOrderCachedItemForward blink::PaintController::useCachedDrawingIfPossible Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=426422:426435 Minimized Testcase (1.94 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97TXcmQoBUIV70hR-pOUddvuBZJ3I1EMf3z75aKEAwJ5U4ZvzEthTz15XM4Ut51nqJyBfANgkIVxTSCXDarOYA2N4ejoxlbhcyAhyWXdmwTVdP99dKZPQSQapr0C-u6Zgup88EBqRW6hSMtGI6Ts4sm-ofA0g?testcase_id=6134555057848320 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 21 2016
Unable to find the possible suspect using Find it and CL. Below are the find it results -- Suspected CLs Findit failed to find any stack trace. Is it in a new format? Using Code Search for "PaintController.cpp" assigning it to the concern owner : Suspecting Commit# a19b0818793a6e872af045af0e317c7fbf88924a Suspecting Review URL# https://codereview.chromium.org/2328413002 @wangxianzhu -- -- Could you please look into the issue, kindly re-assign if this is not related to your change. Thank You.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1f029bf28962ff78d2394dfee4258a3f23fe91bd commit 1f029bf28962ff78d2394dfee4258a3f23fe91bd Author: wangxianzhu <wangxianzhu@chromium.org> Date: Tue Dec 06 00:15:34 2016 Add test for crbug.com/667045 The bug has been fixed by painting all collapsed borders of a table as one display item. BUG= 667045 Review-Url: https://codereview.chromium.org/2551803004 Cr-Commit-Position: refs/heads/master@{#436467} [add] https://crrev.com/1f029bf28962ff78d2394dfee4258a3f23fe91bd/third_party/WebKit/LayoutTests/paint/invalidation/table/composited-cell-collapsed-border-add-anonymous-expected.txt [add] https://crrev.com/1f029bf28962ff78d2394dfee4258a3f23fe91bd/third_party/WebKit/LayoutTests/paint/invalidation/table/composited-cell-collapsed-border-add-anonymous.html
,
Dec 6 2016
The CL that paints all collapsed borders as on display item: https://codereview.chromium.org/2502353003/.
,
Dec 6 2016
https://codereview.chromium.org/2502353003/ has been reverted. Reopening this bug. The test case is a rare case (appending text node into a tbody containing composited cells), so lowering the priority.
,
Dec 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/eca747d2319680846ef1d37c2751d67a7c3144da commit eca747d2319680846ef1d37c2751d67a7c3144da Author: hbos <hbos@chromium.org> Date: Tue Dec 06 10:42:57 2016 Revert of Add test for crbug.com/667045 (patchset #2 id:20001 of https://codereview.chromium.org/2551803004/ ) Reason for revert: The added tests are failing on many bots, e.g: https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Linux%20Trusty/builds/20708 https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Linux%20Trusty%20Leak/builds/524 https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Mac10.10/builds/27408 https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Mac10.11%20%28retina%29/builds/9599 https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Mac10.9/builds/40397 https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Win10/builds/17898 https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Win7/builds/48488 Original issue's description: > Add test for crbug.com/667045 > > The bug has been fixed by painting all collapsed borders of a table > as one display item. > > BUG= 667045 > > Committed: https://crrev.com/1f029bf28962ff78d2394dfee4258a3f23fe91bd > Cr-Commit-Position: refs/heads/master@{#436467} TBR=wkorman@chromium.org,wangxianzhu@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= 667045 Review-Url: https://codereview.chromium.org/2557433004 Cr-Commit-Position: refs/heads/master@{#436565} [delete] https://crrev.com/00b8f3e1d2a06989c7dea41ac59ef6e40097482b/third_party/WebKit/LayoutTests/paint/invalidation/table/composited-cell-collapsed-border-add-anonymous-expected.txt [delete] https://crrev.com/00b8f3e1d2a06989c7dea41ac59ef6e40097482b/third_party/WebKit/LayoutTests/paint/invalidation/table/composited-cell-collapsed-border-add-anonymous.html
,
Mar 8 2017
ClusterFuzz has detected this issue as fixed in range 454873:455052. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6134555057848320 Fuzzer: inferno_twister Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: false. Can't find cached display item in PaintController.cpp blink::PaintController::findOutOfOrderCachedItemForward blink::PaintController::useCachedDrawingIfPossible Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=426422:426435 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=454873:455052 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97TXcmQoBUIV70hR-pOUddvuBZJ3I1EMf3z75aKEAwJ5U4ZvzEthTz15XM4Ut51nqJyBfANgkIVxTSCXDarOYA2N4ejoxlbhcyAhyWXdmwTVdP99dKZPQSQapr0C-u6Zgup88EBqRW6hSMtGI6Ts4sm-ofA0g?testcase_id=6134555057848320 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 8 2017
ClusterFuzz testcase 6134555057848320 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 8 2017
I don't know why this is fixed. Will verify manually, or at least find out which CL fixed this.
,
Mar 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/073e1744a8b06f5d757b7fa71133f687652f1e18 commit 073e1744a8b06f5d757b7fa71133f687652f1e18 Author: wangxianzhu <wangxianzhu@chromium.org> Date: Wed Mar 08 20:27:10 2017 Reland of Add test for crbug.com/667045 (patchset #1 id:1 of https://codereview.chromium.org/2557433004/ ) Reason for revert: Re-add the test case to reproduce the bug. The test will be expected to fail. Original issue's description: > Revert of Add test for crbug.com/667045 (patchset #2 id:20001 of https://codereview.chromium.org/2551803004/ ) > > Reason for revert: > The added tests are failing on many bots, e.g: > > https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Linux%20Trusty/builds/20708 > > https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Linux%20Trusty%20Leak/builds/524 > > https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Mac10.10/builds/27408 > > https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Mac10.11%20%28retina%29/builds/9599 > > https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Mac10.9/builds/40397 > > https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Win10/builds/17898 > > https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Win7/builds/48488 > > Original issue's description: > > Add test for crbug.com/667045 > > > > The bug has been fixed by painting all collapsed borders of a table > > as one display item. > > > > BUG= 667045 > > > > Committed: https://crrev.com/1f029bf28962ff78d2394dfee4258a3f23fe91bd > > Cr-Commit-Position: refs/heads/master@{#436467} > > TBR=wkorman@chromium.org,wangxianzhu@chromium.org > # Skipping CQ checks because original CL landed less than 1 days ago. > NOPRESUBMIT=true > NOTREECHECKS=true > NOTRY=true > BUG= 667045 > > Committed: https://crrev.com/eca747d2319680846ef1d37c2751d67a7c3144da > Cr-Commit-Position: refs/heads/master@{#436565} TBR=wkorman@chromium.org,hbos@chromium.org BUG= 667045 Review-Url: https://codereview.chromium.org/2735903006 Cr-Commit-Position: refs/heads/master@{#455529} [modify] https://crrev.com/073e1744a8b06f5d757b7fa71133f687652f1e18/third_party/WebKit/LayoutTests/TestExpectations [add] https://crrev.com/073e1744a8b06f5d757b7fa71133f687652f1e18/third_party/WebKit/LayoutTests/paint/invalidation/table/composited-cell-collapsed-border-add-anonymous-expected.txt [add] https://crrev.com/073e1744a8b06f5d757b7fa71133f687652f1e18/third_party/WebKit/LayoutTests/paint/invalidation/table/composited-cell-collapsed-border-add-anonymous.html
,
Mar 13 2017
Maybe clusterfuzz is fixed, but the tests are still crashing. https://codereview.chromium.org/2747883002/
,
Mar 13 2017
The clusterfuzz test case can't reproduce the issue stably because it changes DOM during loading. We can stably reproduce the bug if we change DOM after the first paint.
,
Mar 28 2017
,
Apr 1 2017
,
Jun 23 2017
The test no longer crashes: https://test-results.appspot.com/dashboards/flakiness_dashboard.html#testType=webkit_tests&tests=paint%2Finvalidation%2Ftable%2Fcomposited-cell-collapsed-border-add-anonymous.html Will update TestExpectations.
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by ajha@chromium.org
, Nov 21 2016