Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4807145360195584 Fuzzer: libfuzzer_renderer_tree_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x03e900005629 Crash State: blink::Document::updateStyleAndLayoutTree blink::Document::scrollingElement blink::PaintLayerCompositor::updateIfNeeded Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=408165:408299 Minimized Testcase (0.14 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97CU-t_vGZobTflrA4-bCB85xk3C3FFmeeDIFMNLXBVcbaa7aXfvr7eIbk3EJQhCPRsGoRnrWgzkpc0r-zDtz0GHaSH5Ou6IQbpFbzuvzNX-s7fUyYMcCPtYz60tziFxRY3_SsgapLPfgCGqERPugGsgFFMIIUnkgRu8deZkRsoIMqCZS-dvtXokBsvIrOxlgnxZIjub0hHk6Y4yJaG73GrhUn5X_4XYmSx3G9cW_uJS9sUQi3xRJaEpDxeyKi12GOa18-p7d81c34MKyDWFRqF4-nYSjDXWE0i-ZVI7OsXeA4xrWr5ye1uLGHIn13syip5JQbIqTZrUZYUpaLx9Xm6QBDxnvFo7U3tKcSjxTVx6XZ8Eb4?testcase_id=4807145360195584 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Possible suspect from code search on the file "PaintLayerCompositor.cpp". Review-Url: https://codereview.chromium.org/2540043002 chrishtr@; Could you please if its related to your change. Its impacting current stable 55.0.2883.87.
I can reproduce.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e8c827b638b54a43e065cd6b3a431fefc5ae9768 commit e8c827b638b54a43e065cd6b3a431fefc5ae9768 Author: chrishtr <chrishtr@chromium.org> Date: Wed Jan 11 23:17:03 2017 Don't force-update style and layout in Document::scrollingElement This method has callsites inside of compositing, in which it's illegal to try to update layout and style because compositing comes after. However, it's also pointless to do so from such callsites. The other call sites are: FrameView::scrollBehaviorStyle Various scrolling methods in Element. All of the Element callsites already update style and layout; this CL adds it to the former (which has a very complicated set of ways it can be called, making it very hard to determine if style or layout could be dirty before calling it). BUG= 679099 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Review-Url: https://codereview.chromium.org/2618323004 Cr-Commit-Position: refs/heads/master@{#443049} [modify] https://crrev.com/e8c827b638b54a43e065cd6b3a431fefc5ae9768/third_party/WebKit/Source/core/dom/Document.cpp [modify] https://crrev.com/e8c827b638b54a43e065cd6b3a431fefc5ae9768/third_party/WebKit/Source/core/dom/Document.h [modify] https://crrev.com/e8c827b638b54a43e065cd6b3a431fefc5ae9768/third_party/WebKit/Source/core/dom/Element.cpp [modify] https://crrev.com/e8c827b638b54a43e065cd6b3a431fefc5ae9768/third_party/WebKit/Source/core/layout/compositing/CompositedLayerMapping.cpp
ClusterFuzz has detected this issue as fixed in range 455109:455254. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4807145360195584 Fuzzer: libfuzzer_renderer_tree_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x03e900001adb Crash State: blink::Document::updateStyleAndLayoutTree blink::Document::scrollingElement blink::PaintLayerCompositor::updateIfNeeded Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=408165:408299 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=455109:455254 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97a-xl0vELmB65FNY-ndoTBDAYxIBGA57lA0m60xmJ7ts7BHS-IOL-z0VDGHaKafhRkT7Vk3szl7yKqgv66-cPH59CN5mFkh1zSpk3dyiRPDTHicz4HpXENc6ZBYi_LJ9dNCnC62qNgFO99dWSph45HDq7muLUal8u1RA3_xNsTFmPr5492o52nJbp9IbEwvrOL-UuwIoREdnz4WXjnWbzKgD0-BA7XzZDAd5QgQW3-KorCx0WRU2rpHsi1zCZaTlDW-1zJ-jiK0AtDrnsuh6cuS1I4ubr3Qi8ryOwTZciivVC1UoXuNhVIfyGw5NnsEBixIV_pL86_paf3Us13vOb6FFeDwbseZq8DKti-y0pc_MjQlQ0?testcase_id=4807145360195584 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by durga.behera@chromium.org
, Jan 9 2017Labels: Test-Predator-Wrong-CLs M-55
Owner: chrishtr@chromium.org
Status: Assigned (was: Untriaged)