Issue 680497 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	█ alexclarke@chromium.org Last visit > 30 days ago
Closed:	Jan 2017
Components:	Platform>DevTools>Platform
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	2
Type:	Bug
Proj-Headless

CSS.getLayoutTreeAndStyles crashes on some pages

Project Member Reported by alexclarke@chromium.org, Jan 12 2017

Issue description

E.g. this crash for http://baodatviet.vn/quoc-phong/

Received signal 11 SEGV_MAPERR 000000000270
#0 0x7f44bbb712ae base::debug::StackTrace::StackTrace()
#1 0x7f44bbb70def base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f44bbfde330 <unknown>
#3 0x7f44a7a95a1c WTF::RefPtr<>::operator bool()
#4 0x7f44a8046a95 blink::Document::view()
#5 0x7f44a8044ce9 blink::Document::updateStyleAndLayoutTree()
#6 0x7f44a88f39ec blink::InspectorCSSAgent::visitLayoutTreeNodes()
#7 0x7f44a88f3a14 blink::InspectorCSSAgent::visitLayoutTreeNodes()
#8 0x7f44a88f3a14 blink::InspectorCSSAgent::visitLayoutTreeNodes()
#9 0x7f44a88f38b5 blink::InspectorCSSAgent::getLayoutTreeAndStyles()
#10 0x7f44a88f3e9b blink::InspectorCSSAgent::getLayoutTreeAndStyles()
#11 0x7f44a958a605 blink::protocol::CSS::DispatcherImpl::getLayoutTreeAndStyles()
#12 0x7f44a9584ed5 blink::protocol::CSS::DispatcherImpl::dispatch()
#13 0x7f44a964ecd2 blink::protocol::UberDispatcher::dispatch()
#14 0x7f44a89c5d8d blink::InspectorSession::dispatchProtocolMessage()
#15 0x7f44ab911610 blink::WebDevToolsAgentImpl::dispatchMessageFromFrontend()
#16 0x7f44ab91149e blink::WebDevToolsAgentImpl::dispatchOnInspectorBackend()
#17 0x7f44b8007f1f content::DevToolsAgent::OnDispatchOnInspectorBackend()
#18 0x7f44b6459a98 _ZN4base20DispatchToMethodImplIPN7content25SharedWorkerDevToolsAgentEMS2_FviiRKSsS5_ERKSt5tupleIJiiSsSsEEJLm0ELm1ELm2ELm3EEEEvRKT_T0_OT1_NS_13IndexSequenceIJXspT2_EEEE
#19 0x7f44b64599a0 _ZN4base16DispatchToMethodIPN7content25SharedWorkerDevToolsAgentEMS2_FviiRKSsS5_ERKSt5tupleIJiiSsSsEEEEvRKT_T0_OT1_
#20 0x7f44b800cc3f _ZN3IPC16DispatchToMethodIN7content13DevToolsAgentEMS2_FviiRKSsS4_EvSt5tupleIJiiSsSsEEEEvPT_T0_PT1_RKT2_
#21 0x7f44b800a43f _ZN3IPC8MessageTI48DevToolsAgentMsg_DispatchOnInspectorBackend_MetaSt5tupleIJiiSsSsEEvE8DispatchIN7content13DevToolsAgentES7_vMS7_FviiRKSsS9_EEEbPKNS_7MessageEPT_PT0_PT1_T2_
#22 0x7f44b8007901 content::DevToolsAgent::OnMessageReceived()
#23 0x7f44b81505b2 content::RenderFrameImpl::OnMessageReceived()
#24 0x7f44b4487a0b IPC::MessageRouter::RouteMessage()
#25 0x7f44b631ec78 content::ChildThreadImpl::ChildThreadMessageRouter::RouteMessage()
#26 0x7f44b448798e IPC::MessageRouter::OnMessageReceived()
#27 0x7f44b6323231 content::ChildThreadImpl::OnMessageReceived()
#28 0x7f44b442cbe8 IPC::ChannelProxy::Context::OnDispatchMessage()
#29 0x7f44b443372f _ZN4base8internal13FunctorTraitsIMN3IPC12ChannelProxy7ContextEFvRKNS2_7MessageEEvE6InvokeIRK13scoped_refptrIS4_EJS7_EEEvS9_OT_DpOT0_
#30 0x7f44b4433616 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN3IPC12ChannelProxy7ContextEFvRKNS4_7MessageEEJRK13scoped_refptrIS6_ES9_EEEvOT_DpOT0_
#31 0x7f44b44335a3 _ZN4base8internal7InvokerINS0_9BindStateIMN3IPC12ChannelProxy7ContextEFvRKNS3_7MessageEEJ13scoped_refptrIS5_ES6_EEEFvvEE7RunImplIRKSA_RKSt5tupleIJSC_S6_EEJLm0ELm1EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#32 0x7f44b44334bc _ZN4base8internal7InvokerINS0_9BindStateIMN3IPC12ChannelProxy7ContextEFvRKNS3_7MessageEEJ13scoped_refptrIS5_ES6_EEEFvvEE3RunEPNS0_13BindStateBaseE
#33 0x7f44bbb770e1 _ZNO4base8internal8RunMixinINS_8CallbackIFvvELNS0_8CopyModeE0ELNS0_10RepeatModeE0EEEE3RunEv
#34 0x7f44bbb76ab2 base::debug::TaskAnnotator::RunTask()
#35 0x7f44ac1f60aa blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#36 0x7f44ac1f3ad1 blink::scheduler::TaskQueueManager::DoWork()
#37 0x7f44ac1fc56c _ZN4base8internal13FunctorTraitsIMN5blink9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEvE6InvokeIRKNS_7WeakPtrIS4_EEJRKS5_RKbEEEvS7_OT_DpOT0_
#38 0x7f44ac1fc444 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN5blink9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbERKNS_7WeakPtrIS6_EEJRKS7_RKbEEEvOT_OT0_DpOT1_
#39 0x7f44ac1fc3a4 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEJNS_7WeakPtrIS5_EES6_bEEEFvvEE7RunImplIRKS8_RKSt5tupleIJSA_S6_bEEJLm0ELm1ELm2EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#40 0x7f44ac1fc27c _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEJNS_7WeakPtrIS5_EES6_bEEEFvvEE3RunEPNS0_13BindStateBaseE
#41 0x7f44bbb770e1 _ZNO4base8internal8RunMixinINS_8CallbackIFvvELNS0_8CopyModeE0ELNS0_10RepeatModeE0EEEE3RunEv
#42 0x7f44bbb76ab2 base::debug::TaskAnnotator::RunTask()
#43 0x7f44bbc082ea base::MessageLoop::RunTask()
#44 0x7f44bbc08574 base::MessageLoop::DeferOrRunPendingTask()
#45 0x7f44bbc0885e base::MessageLoop::DoWork()
#46 0x7f44bbc20053 base::MessagePumpDefault::Run()
#47 0x7f44bbc07e6a base::MessageLoop::RunHandler()
#48 0x7f44bbcb48c2 base::RunLoop::Run()
#49 0x7f44b8251132 content::RendererMain()
#50 0x7f44b865e9ee content::RunZygote()
#51 0x7f44b865eda0 content::RunNamedProcessTypeMain()
#52 0x7f44b866105b content::ContentMainRunnerImpl::Run()
#53 0x7f44b865e092 content::ContentMain()
#54 0x000000553d17 headless::(anonymous namespace)::RunContentMain()
#55 0x000000553b12 headless::RunChildProcessIfNeeded()
#56 0x00000046f517 headless::HeadlessShellMain()
#57 0x0000004207d2 main
#58 0x7f44b331df45 __libc_start_main
#59 0x0000004206e9 <unknown>
  r8: 00007ffcd5dce2f0  r9: 00007ffcd5dce4a0 r10: 00007ffcd5dce4c0 r11: 0000000000000202
 r12: 00000000004206c0 r13: 00007ffcd5dd88b0 r14: 0000000000000000 r15: 0000000000000000
  di: 0000000000000270  si: 0aba2e289acdd800  bp: 00007ffcd5dce490  bx: 0000000000000000
  dx: 0000000000000001  ax: 0000000000000270  cx: ffffffffffffff01  sp: 00007ffcd5dce490
  ip: 00007f44a7a95a1c efl: 0000000000010202 cgf: 95aa000000000033 erf: 0000000000000004
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000270
[end of stack trace]

It shouldn't crash :)

Comment 1 by alexclarke@chromium.org, Jan 12 2017

It looks like the contentDocument obtained on line 2370 by InspectorCSSAgent::visitLayoutTreeNodes is null.

Project Member

Comment 2 by bugdroid1@chromium.org, Jan 13 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cc53e06971c8c55c85642a44fd350ebc092a5e8c

commit cc53e06971c8c55c85642a44fd350ebc092a5e8c
Author: alexclarke <alexclarke@chromium.org>
Date: Fri Jan 13 07:23:55 2017

Fix crash in CSS.getLayoutTreeAndStyles

For pages where there was a FrameOwnerElement with a null
ContentDocument CSS.getLayoutTreeAndStyles would crash.  This patch
fixes that.

BUG= 680497 ,  546953 

Review-Url: https://codereview.chromium.org/2623273006
Cr-Commit-Position: refs/heads/master@{#443513}

[modify] https://crrev.com/cc53e06971c8c55c85642a44fd350ebc092a5e8c/third_party/WebKit/Source/core/inspector/InspectorCSSAgent.cpp

Comment 3 by alexclarke@chromium.org, Jan 13 2017

Status: Fixed (was: Assigned)

►

Issue 680497 link

Issue metadata

CSS.getLayoutTreeAndStyles crashes on some pages

Issue description

Comment 1 by alexclarke@chromium.org, Jan 12 2017

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Jan 13 2017

Comment 2 Deleted

Comment 3 by alexclarke@chromium.org, Jan 13 2017

Comment 3 Deleted

Sign in to add a comment