New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 709962 link

Starred by 4 users
Status: Fixed
Owner:
chrishtr@chromium.org
Closed: Apr 2017
Cc:
wangxianzhu@chromium.org
ifratric@google.com
msrchandra@chromium.org
chrishtr@chromium.org
vmp...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::VisualRectForDisplayItem

Project Member Reported by ClusterFuzz, Apr 10 2017

Comment 1 by msrchandra@chromium.org, Apr 10 2017

Cc: msrchandra@chromium.org
Components: Blink>Paint
Labels: Test-Predator-Correct-CLs M-59
Owner: chrishtr@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: chrishtr
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/256619b40e56be177620efb04b57086b2f6bcbed
Time: Fri Apr 07 01:29:21 2017
Lines 535-544 of file PaintController.cpp which potentially caused crash are changed in this cl (frame #0, "blink::VisualRectForDisplayItem").
Minimum distance from crash line to modified line: 0. (file: PaintController.cpp, crashed on: 535, modified: 535). 

Author: wkorman
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/efeb13b3ba0f7604fe7f61a69d83870d1a5f51fa
Time: Fri Apr 07 04:43:45 2017
Lines 3256 of file FrameView.cpp which potentially caused crash are changed in this cl (frame #3, "blink::FrameView::PaintGraphicsLayerRecursively").
Minimum distance from crash line to modified line: 0. (file: FrameView.cpp, crashed on: 3256, modified: 3256).

@chrishtr -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by schenney@chromium.org, Apr 11 2017

Labels: BugSource-Chromium PaintTeamTriaged-20170411

Comment 3 by chrishtr@chromium.org, Apr 11 2017

Status: Started (was: Assigned)

Comment 4 by chrishtr@chromium.org, Apr 11 2017 

Issue 709806 has been merged into this issue.

Comment 5 by chrishtr@chromium.org, Apr 11 2017

Cc: chrishtr@chromium.org wangxianzhu@chromium.org
 Issue 709726  has been merged into this issue.
Project Member

Comment 6 by ClusterFuzz, Apr 11 2017

Labels: OS-Linux
Project Member

Comment 7 by bugdroid1@chromium.org, Apr 11 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4b7d450be9fdfdc87a50c718053628da03ef243e

commit 4b7d450be9fdfdc87a50c718053628da03ef243e
Author: chrishtr <chrishtr@chromium.org>
Date: Tue Apr 11 22:40:47 2017

Don't allow the composited-alpha folding optimization to cross subsequences.

Otherwise the subsequence indices will become broken.

This worked before https://codereview.chromium.org/2793233002 because the
EndSubsequenceDisplayItem would always get in the way of the DrawingDisplayItem
and its preceding BeginCompositingDisplayItem. Now do the same thing by keeping
track of the last place such an end would have been.

BUG= 709962 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2812103002
Cr-Commit-Position: refs/heads/master@{#463810}

[add] https://crrev.com/4b7d450be9fdfdc87a50c718053628da03ef243e/third_party/WebKit/LayoutTests/paint/transparency/compositing-alpha-fold-crash-expected.png
[add] https://crrev.com/4b7d450be9fdfdc87a50c718053628da03ef243e/third_party/WebKit/LayoutTests/paint/transparency/compositing-alpha-fold-crash-expected.txt
[add] https://crrev.com/4b7d450be9fdfdc87a50c718053628da03ef243e/third_party/WebKit/LayoutTests/paint/transparency/compositing-alpha-fold-crash.html
[modify] https://crrev.com/4b7d450be9fdfdc87a50c718053628da03ef243e/third_party/WebKit/Source/platform/graphics/paint/CompositingRecorder.cpp
[modify] https://crrev.com/4b7d450be9fdfdc87a50c718053628da03ef243e/third_party/WebKit/Source/platform/graphics/paint/PaintController.cpp
[modify] https://crrev.com/4b7d450be9fdfdc87a50c718053628da03ef243e/third_party/WebKit/Source/platform/graphics/paint/PaintController.h
[modify] https://crrev.com/4b7d450be9fdfdc87a50c718053628da03ef243e/third_party/WebKit/Source/platform/graphics/paint/PaintControllerTest.cpp

Comment 8 by chrishtr@chromium.org, Apr 11 2017

Status: Fixed (was: Started)
Project Member

Comment 9 by ClusterFuzz, Apr 12 2017 

ClusterFuzz has detected this issue as fixed in range 463770:463816.

Detailed report: https://clusterfuzz.com/testcase?key=6271522349252608

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::VisualRectForDisplayItem
  blink::PaintController::CommitNewDisplayItems
  blink::GraphicsLayer::Paint
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=458746:463137
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=463770:463816

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94EPS-PqV9eEnrCUqqEh5TWQUCZL70KoYiG_wzyEvR5Ff1bFI1wFPs1PTBmMV4e26Yp39IjMNJR6i8G1zxYuTAP-gSMvBAXnJ7H0o843R-0Ju6mrNrAxhIw14wa-NCDg6Zsz1u0kF_CR80kCch-ejvRygoN7mTDcy9F7SBQtGKqEupCkGi3TEq0ZNenGQxHuBZ1b5o2_4daM6eKklaF9w1I9xh0Sh5LVIH12El_5sAyaRRd1a01z-7BrnZ3dXeCeht_QmTJwW55EYjTICCZcKOXiL0d-3Idsr9J7_9E4dMVOUuSsxaow_v7Dl7sg9oHW_3UIPy_UqyTBHvSgfYtMDxFmXGQ8-brHH9v76Kqbgs8HhSP-PmZJ5JmPvcQ37LqgvGibTdW9O5FsstCT2oQwZ9i9mkzdA?testcase_id=6271522349252608


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment