CHECK failure: ShelfButton::kViewClassName == view->GetClassName() in shelf_view.cc |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4885263756296192 Fuzzer: inferno_twister_custom_bundle Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: ShelfButton::kViewClassName == view->GetClassName() in shelf_view.cc ash::ShelfView::GetIdealBoundsOfItemIcon ash::ShelfWidget::GetScreenBoundsOfItemIconForWindow Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=408444:408557 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97hyQVrcKGtKg7EdzCO-qwDB7FpRYh6BNb2QEJ7x6A8-Tj8vje2HP6e76GCq33up3UAihCiN6isNaA2K3ZFRzf1ifqlIlQR9Be9y4Nkv04mYfregvyxxgN--cViOnF5MyTa7tLyXPG8l3Z_wkzJJRf7NBoTCA89xL6OMxVatUqLn2zU19lSGpASwmsdRruOhVWo3L6R69yBrxxpKDZHNNmr4z1a-u83hKU0ZFhNgOqLxx6BxS5yBft1xgReuXkAqyP_BotIXAP_uCS_Txv-pZWFyaH3odV4IHjgeEqA963V2iS-N9y9JQvagWHZKOTZVTe-RYS2mEr02iKEREEywCr2F3cuhYXY1rkkG106ObrtY4G7ODRla4gI3BuaVRR7O7tZnaY2QHiyLzxOTaBN5HwVZdQ2Bg?testcase_id=4885263756296192 Additional requirements: Requires Gestures Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 3 2017
over to bruthig@ (r408532 is a revert I did while sheriffing).
,
Apr 3 2017
msw, maybe related to shelf model changes? Lots of model access near here: https://cs.chromium.org/chromium/src/ash/common/shelf/shelf_view.cc?type=cs&q=GetIdealBoundsOfItemIcon&sq=package:chromium&l=336 Another possibility is that it's related to async shelf creation because clusterfuzz spams lots of events early after signin. bruthig's out this week, so if you think it might be model related feel free to take it.
,
Apr 4 2017
Hmm, perhaps it's unexpectedly hitting the app list button (that's an ImageButton subclass, and seems to be the only other view besides ShelfButton that is added as a child to ShelfView). But, if it is the app list button, why is it going through ash::FrameCaptionButtonContainerView::ButtonPressed (it shouldn't have a frame with caption buttons)? This raises many questions: (1) What really changed to trigger this (bruthig's CL doesn't seem obviously at fault)? (2) Is it reproducible (clusterfuzz says no)? (3) What previously prevented calling GetIdealBoundsOfItemIcon with the app list button's ShelfID? (4) Why doesn't ShelfView::GetIdealBoundsOfItemIcon handle the app list button? (5) Why isn't the AppListButton just an instance of ShelfButton (or a ShelfButton subclass) James, you fixed (related?) Issue 679513, but it looks like there are still many M57 crashes; reports: https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D%27ash%3A%3AShelfView%3A%3AGetIdealBoundsOfItemIcon%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports I can try to speculatively make GetIdealBoundsOfItemIcon not crash on the app list button...
,
Apr 4 2017
Re: M57 crashes. I was worried when I first looked, but M57 stable is on 57.0.2987.137 (so it should have a lot of users) and the big spike of crashes was on an earlier version. See https://omahaproxy.appspot.com/ - so I think my CL at least fixed the crash it was supposed to. (Did I miss something?) However, I still see 3 crash reports with similar stacks in M57, so I wonder if there's another similar code path. There were just instructions posted to chromium-dev about local repros of clusterfuzz crashes.
,
Apr 4 2017
It looks like the crash happens when clicking the minimize button on the window frame, when the code tries to figure out the target rect for the minimize animation. This explains FrameCaptionButtonContainerView::ButtonPressed on the stack. I suspect app list button gets into the view because of index adjustment in line 331-332 [1]. Clusterfuzz tends to run things fast. If somehow, the code runs here before |last_visible_index_| is properly updated to some value other than -1. The condition would stand and |index| is changed to 0 and we get AppListButton. [1]: https://cs.chromium.org/chromium/src/ash/common/shelf/shelf_view.cc?rcl=4ce6642bf40d6df1bd5a827286d1e58887c5012d&l=331-332
,
Apr 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5638001af068337b354a2d43d65b25ae3638ace2 commit 5638001af068337b354a2d43d65b25ae3638ace2 Author: msw <msw@chromium.org> Date: Mon Apr 24 21:36:38 2017 ash: Return empty shelf icon bounds before initialization. Bail GetIdealBoundsOfItemIcon before |last_visible_index_| init. (avoid using button bounds before they are calculated) This is a simple workaround for a failing clusterfuzz check. The test case is not reproducible, and unlikely to be hit manually. There's little reason to seek a more comprehensive fix for now. TODO: Merge AppListButton and ShelfButton (or use inheritance). BUG= 707165 TEST=No failed button CHECK via clusterfuzz. (Not reproducible) R=xiyuan@chromium.org Review-Url: https://codereview.chromium.org/2843623002 Cr-Commit-Position: refs/heads/master@{#466776} [modify] https://crrev.com/5638001af068337b354a2d43d65b25ae3638ace2/ash/shelf/shelf_view.cc
,
Apr 24 2017
I'm marking this fixed, hopefully the fuzzer will catch any lingering issues. I also filed Issue 714781 "Ash Shelf: Merge AppListButton and ShelfButton classes" |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by msrchandra@chromium.org
, Mar 31 2017Labels: Test-Predator-Wrong M-59
Owner: tapted@chromium.org
Status: Assigned (was: Untriaged)