Issue 713010 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Sep 11
Cc:	█ claudiomagni@chromium.org
Components:	Blink>Animation
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug
Stability-Crash Update-Weekly

Blocked on:
issue 706281

AnimationSimTest.CustomPropertyBaseComputedStyle crashes under UBSan

Project Member Reported by meade@chromium.org, Apr 19 2017

Issue description

Steps to repro:

1. Build with UBSan (http://www.chromium.org/developers/testing/undefinedbehaviorsanitizer)
e.g. $ ninja -C out/ubsan -j 1000 webkit_unit_tests
2. out/ubsan/webkit_unit_tests --gtest_filter=*CustomPropertyBaseComputedStyle*

[ RUN      ] AnimationSimTest.CustomPropertyBaseComputedStyle
../../third_party/WebKit/Source/platform/wtf/RefPtr.h:79:33: runtime error: reference binding to null pointer of type 'blink::TimingFunction'
    #0 0x2fda6ef  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x2fda6ef)
    #1 0x2fe763b  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x2fe763b)
    #2 0x2fedcac  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x2fedcac)
    #3 0x2fed309  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x2fed309)
    #4 0x2ff22b9  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x2ff22b9)
    #5 0x2fd11cb  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x2fd11cb)
    #6 0x2fcbcdd  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x2fcbcdd)
    #7 0x2fd4e3d  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x2fd4e3d)
    #8 0x3a1a215  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x3a1a215)
    #9 0x1d8839b  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x1d8839b)
    #10 0x7d62f3  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x7d62f3)
    #11 0x51b243  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x51b243)
    #12 0x1eed2f5  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x1eed2f5)
    #13 0x1eee212  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x1eee212)
    #14 0x1eeefaa  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x1eeefaa)
    #15 0x1ef685a  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x1ef685a)
    #16 0x1ef6174  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x1ef6174)
    #17 0x1ead541  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x1ead541)
    #18 0x5d20ce  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x5d20ce)
    #19 0x5d2647  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x5d2647)
    #20 0x1eaf859  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x1eaf859)
    #21 0x1eaf6e6  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x1eaf6e6)
    #22 0x5d2061  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x5d2061)
    #23 0x7fa146696f44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #24 0x4c2bff  (/usr/local/google/src/chrome/src/out/ubsan/webkit_unit_tests+0x4c2bff)

Received signal 11 SEGV_MAPERR 000000000008
#0 0x000001dd6817 base::debug::StackTrace::StackTrace()
#1 0x000001dd60bb base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7fa146c63330 <unknown>
#3 0x000002fe7643 blink::InterpolationEffect::AddInterpolationsFromKeyframes()
#4 0x000002fedcad blink::KeyframeEffectModelBase::EnsureInterpolationEffectPopulated()
#5 0x000002fed30a blink::KeyframeEffectModelBase::Sample()
#6 0x000002ff22ba blink::KeyframeEffectReadOnly::ApplyEffects()
#7 0x000002fd11cc blink::AnimationEffectReadOnly::UpdateInheritedTime()
#8 0x000002fcbcde blink::Animation::Update()
#9 0x000002fd4e3e blink::AnimationTimeline::ServiceAnimations()
#10 0x000003a1a216 blink::PageAnimator::ServiceScriptedAnimations()
#11 0x000001d8839c blink::WebViewImpl::BeginFrame()
#12 0x0000007d62f4 blink::SimCompositor::BeginFrame()
#13 0x00000051b244 blink::AnimationSimTest_CustomPropertyBaseComputedStyle_Test::TestBody()
#14 0x000001eed2f6 testing::Test::Run()
#15 0x000001eee213 testing::TestInfo::Run()
#16 0x000001eeefab testing::TestCase::Run()
#17 0x000001ef685b testing::internal::UnitTestImpl::RunAllTests()
#18 0x000001ef6175 testing::UnitTest::Run()
#19 0x000001ead542 base::TestSuite::Run()
#20 0x0000005d20cf (anonymous namespace)::runHelper()
#21 0x0000005d2648 _ZN4base8internal7InvokerINS0_9BindStateIPFiPNS_9TestSuiteEEJNS0_17UnretainedWrapperIS3_EEEEEFivEE7RunImplIRKS6_RKNSt3__15tupleIJS8_EEEJLm0EEEEiOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#22 0x000001eaf85a base::(anonymous namespace)::LaunchUnitTestsInternal()
#23 0x000001eaf6e7 base::LaunchUnitTests()
#24 0x0000005d2062 main
#25 0x7fa146696f45 __libc_start_main
#26 0x0000004c2c00 <unknown>
  r8: 6a6cb03abcebc041  r9: 0000000000000005 r10: 00000000049f1b68 r11: 0000000000000206
 r12: 000025473b4c8ac0 r13: 000025473b4c8a80 r14: 0000000000000001 r15: 00002bbf2e564f78
  di: 0000000000002000  si: 0000000000000000  bp: 00007fffc4d3bb70  bx: 0000000000000000
  dx: 0000000000000001  ax: 0000000000000000  cx: 00000000004ca4f7  sp: 00007fffc4d3bb20
  ip: 0000000002fe7643 efl: 0000000000010202 cgf: 0000000000000033 erf: 0000000000000004
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000008
[end of stack trace]
Calling _exit(1). Core file will not be generated.
[5696/5696] AnimationSimTest.CustomPropertyBaseComputedStyle (CRASHED)

Comment 1 by meade@chromium.org, Apr 20 2017

Components: Blink>Animation

Comment 2 by claudiomagni@chromium.org, Apr 20 2017

Owner: claudiomagni@chromium.org
Status: Assigned (was: Untriaged)

Comment 3 by bugsnash@chromium.org, Apr 21 2017

Labels: Stability-Crash

Comment 4 by bugsnash@chromium.org, Apr 21 2017

Labels: Update-Weekly

Comment 5 by suzyh@chromium.org, Jun 13 2017

Cc: -suzyh@chromium.org

Comment 6 by claudiomagni@chromium.org, Jan 29 2018

Cc: claudiomagni@chromium.org
Owner: ----
Status: Available (was: Assigned)

Comment 7 by majidvp@chromium.org, Jan 30 2018

Blockedon: 706281

Comment 8 by smcgruer@chromium.org, Sep 11

Status: WontFix (was: Available)

This no longer reproduces.

smcgruer@stiglet2:~/chromium/src$ cat out/ubsan/args.gn 
# Build arguments go here.
# See "gn args <out_dir> --list" for available build arguments.
is_ubsan = true
is_debug = false

$ autoninja -C out/ubsan/ webkit_unit_tests
ninja -C out/ubsan/ webkit_unit_tests -l 48
ninja: Entering directory `out/ubsan/'
[8894/24906] ACTION //third_party/perfetto/protos/perfetto/config:config_gen(//build/toolchain/linux:clang_x64)
../../third_party/protobuf/src/google/protobuf/compiler/cpp/cpp_message.cc:3348:68: runtime error: signed integer overflow: 536870911 * 8 cannot be represented in type 'int'
    #0 0x485c5a  (/usr/local/google/home/smcgruer/chromium/src/out/ubsan/protoc+0x485c5a)
    #1 0x47f619  (/usr/local/google/home/smcgruer/chromium/src/out/ubsan/protoc+0x47f619)
    #2 0x4513be  (/usr/local/google/home/smcgruer/chromium/src/out/ubsan/protoc+0x4513be)
    #3 0x445373  (/usr/local/google/home/smcgruer/chromium/src/out/ubsan/protoc+0x445373)
    #4 0x41a675  (/usr/local/google/home/smcgruer/chromium/src/out/ubsan/protoc+0x41a675)
    #5 0x428079  (/usr/local/google/home/smcgruer/chromium/src/out/ubsan/protoc+0x428079)
    #6 0x422a60  (/usr/local/google/home/smcgruer/chromium/src/out/ubsan/protoc+0x422a60)
    #7 0x3ad462  (/usr/local/google/home/smcgruer/chromium/src/out/ubsan/protoc+0x3ad462)
    #8 0x7f491e30f2b0  (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #9 0x391029  (/usr/local/google/home/smcgruer/chromium/src/out/ubsan/protoc+0x391029)

[24906/24906] LINK ./webkit_unit_tests

smcgruer@stiglet2:~/chromium/src$ out/ubsan/webkit_unit_tests --gtest_filter=*CustomPropertyBaseComputedStyle*
IMPORTANT DEBUGGING NOTE: batches of tests are run inside their
own process. For debugging a test inside a debugger, use the
--gtest_filter=<your_test_name> flag along with
--single-process-tests.
Using sharding settings from environment. This is shard 0/1
Using 1 parallel jobs.
Note: Google Test filter = AnimationSimTest.CustomPropertyBaseComputedStyle
[==========] Running 1 test from 1 test case.
[----------] Global test environment set-up.
[----------] 1 test from AnimationSimTest
[ RUN      ] AnimationSimTest.CustomPropertyBaseComputedStyle
[       OK ] AnimationSimTest.CustomPropertyBaseComputedStyle (15 ms)
[----------] 1 test from AnimationSimTest (15 ms total)

[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (15 ms total)
[  PASSED  ] 1 test.
[1/1] AnimationSimTest.CustomPropertyBaseComputedStyle (15 ms)
SUCCESS: all tests passed.
Tests took 0 seconds.

►

Issue 713010 link

Issue metadata

AnimationSimTest.CustomPropertyBaseComputedStyle crashes under UBSan

Issue description

Comment 1 by meade@chromium.org, Apr 20 2017

Comment 1 Deleted

Comment 2 by claudiomagni@chromium.org, Apr 20 2017

Comment 2 Deleted

Comment 3 by bugsnash@chromium.org, Apr 21 2017

Comment 3 Deleted

Comment 4 by bugsnash@chromium.org, Apr 21 2017

Comment 4 Deleted

Comment 5 by suzyh@chromium.org, Jun 13 2017

Comment 5 Deleted

Comment 6 by claudiomagni@chromium.org, Jan 29 2018

Comment 6 Deleted

Comment 7 by majidvp@chromium.org, Jan 30 2018

Comment 7 Deleted

Comment 8 by smcgruer@chromium.org, Sep 11

Comment 8 Deleted

Sign in to add a comment