Issue metadata
Sign in to add a comment
|
Crash in blink::PaintInvalidator::MapLocalRectToVisualRectInBacking<class blink::LayoutRe |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6072549936201728 Fuzzer: ifratric-browserfuzzer-v3 Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x00000000 Crash State: blink::PaintInvalidator::MapLocalRectToVisualRectInBacking<class blink::LayoutRe blink::PaintInvalidatorContext::MapLocalRectToVisualRectInBacking blink::ScrollControlVisualRect Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=464127:464479 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv969VmVaz6Pe6HEeffcHE5s0xeiIdPtSDLa-68nGpsO1e_UDeFRaO82cvJlmOw0BETqKQdwyE6P-OEsoXaWHbm4x13U2995jRDnSywmh4Hlw1wNioAI-YG9KWG8PFwOT74JX1iB7BXXwLDVmsGGSzeje3qElzUwqo8tza06KIbjNKxUcAmaGB-RRrDOfEAqlQ2TgIXYixac4xNrOahaXFtgJyZV0TZ_5wxYt-iKMUU0fpObcfbApFfyFVq4exc7Ed0Dfa_zkVgZTLR-mnUpBDNbHum_3AdUVhAEi9pMIcODWzfV1K7Q6_pMSzzgSjw29cM-8jjZPMpcO8dkqCOaXnjsvdBJ3Xt6_Ks1jSFpmafaxhUDSeBM?testcase_id=6072549936201728 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 19 2017
It's not likely to be a rename issue. I'll take a look to see if I can repro.
,
Apr 19 2017
Confirmed crashes in a non-asan ToT build. Received signal 11 SEGV_MAPERR 000000000000 #0 0x7f6fc2b6a4a7 base::debug::StackTrace::StackTrace() #1 0x7f6fc2b6a01f base::debug::(anonymous namespace)::StackDumpSignalHandler() #2 0x7f6fc2890330 <unknown> #3 0x7f6fb5c7bb2e blink::PaintInvalidator::MapLocalRectToVisualRectInBacking<>() #4 0x7f6fb5c7b915 blink::PaintInvalidatorContext::MapLocalRectToVisualRectInBacking() #5 0x7f6fb5c7b137 blink::PaintInvalidationCapableScrollableArea::InvalidatePaintOfScrollControlsIfNeeded() #6 0x7f6fb5c5a19b blink::BoxPaintInvalidator::InvalidatePaintIfNeeded() #7 0x7f6fb5c52a62 blink::BlockPaintInvalidator::InvalidatePaintIfNeeded() #8 0x7f6fb5a954dd blink::LayoutBlock::InvalidatePaintIfNeeded() #9 0x7f6fb5c7ccfb blink::PaintInvalidator::InvalidatePaintIfNeeded() #10 0x7f6fb5ca3a2f blink::PrePaintTreeWalk::Walk() #11 0x7f6fb5ca41ba blink::PrePaintTreeWalk::Walk() #12 0x7f6fb5ca41ba blink::PrePaintTreeWalk::Walk() #13 0x7f6fb5ca41ba blink::PrePaintTreeWalk::Walk() #14 0x7f6fb5ca3738 blink::PrePaintTreeWalk::Walk() #15 0x7f6fb5ca34d3 blink::PrePaintTreeWalk::Walk() #16 0x7f6fb58462d0 blink::FrameView::PrePaint() #17 0x7f6fb5845285 blink::FrameView::UpdateLifecyclePhasesInternal() #18 0x7f6fb5c382ca blink::PageAnimator::UpdateAllLifecyclePhases() #19 0x7f6fbd025bbc blink::WebViewImpl::UpdateAllLifecyclePhases() #20 0x7f6fc0989aa7 content::RenderWidget::UpdateVisualState() #21 0x7f6fbf48edb1 cc::ProxyMain::BeginMainFrame() Hit a DCHECK in Debug, but had to reload several times. [1:1:0419/170011.737796:FATAL:FindPaintOffsetAndVisualRectNeedingUpdate.h(73)] Check failed: !RuntimeEnabledFeatures::slimmingPaintInvalidationEnabled() || (context.tree_builder_context_ && context.tree_builder_context_->is_actually_needed). #0 0x7fc05f2192cb base::debug::StackTrace::StackTrace() #1 0x7fc05f217fcc base::debug::StackTrace::StackTrace() #2 0x7fc05f28adff logging::LogMessage::~LogMessage() #3 0x7fc04502a956 blink::FindVisualRectNeedingUpdateScopeBase::FindVisualRectNeedingUpdateScopeBase() #4 0x7fc04502a336 blink::FindVisualRectNeedingUpdateScope::FindVisualRectNeedingUpdateScope() #5 0x7fc045b5f6a2 blink::ObjectPaintInvalidatorWithContext::InvalidateSelectionIfNeeded() #6 0x7fc045b5fa51 blink::ObjectPaintInvalidatorWithContext::InvalidatePaintIfNeededWithComputedReason() #7 0x7fc045b2b96e blink::BoxPaintInvalidator::InvalidatePaintIfNeeded() #8 0x7fc045b1763f blink::BlockPaintInvalidator::InvalidatePaintIfNeeded() #9 0x7fc04576aecd blink::LayoutBlock::InvalidatePaintIfNeeded() #10 0x7fc045b6c032 blink::PaintInvalidator::InvalidatePaintIfNeeded() #11 0x7fc045bca16c blink::PrePaintTreeWalk::Walk() #12 0x7fc045bca23b blink::PrePaintTreeWalk::Walk() #13 0x7fc045bca23b blink::PrePaintTreeWalk::Walk() #14 0x7fc045bca23b blink::PrePaintTreeWalk::Walk() #15 0x7fc045bc9f71 blink::PrePaintTreeWalk::Walk() #16 0x7fc045bc9dec blink::PrePaintTreeWalk::Walk() #17 0x7fc04521fbb6 blink::FrameView::PrePaint() #18 0x7fc04521e52a blink::FrameView::UpdateLifecyclePhasesInternal() #19 0x7fc04521dc72 blink::FrameView::UpdateAllLifecyclePhases() #20 0x7fc045ad96bb blink::PageAnimator::UpdateAllLifecyclePhases() #21 0x7fc04e8321e5 blink::PageWidgetDelegate::UpdateAllLifecyclePhases() #22 0x7fc04e93e0f4 blink::WebViewImpl::UpdateAllLifecyclePhases() #23 0x7fc04e934981 blink::WebViewFrameWidget::UpdateAllLifecyclePhases() #24 0x7fc059b6b53b content::RenderWidget::UpdateVisualState() #25 0x7fc05999b09a content::RenderWidgetCompositor::UpdateLayerTreeHost() #26 0x7fc0555664ed cc::LayerTreeHost::RequestMainFrameUpdate() #27 0x7fc05563907c cc::ProxyMain::BeginMainFrame() pdr@, related to your crash bug fixes?
,
Apr 19 2017
I will take a look.
,
Apr 19 2017
ClusterFuzz has detected this issue as fixed in range 465403:465427. Detailed report: https://clusterfuzz.com/testcase?key=6072549936201728 Fuzzer: ifratric-browserfuzzer-v3 Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x00000000 Crash State: blink::PaintInvalidator::MapLocalRectToVisualRectInBacking<class blink::LayoutRe blink::PaintInvalidatorContext::MapLocalRectToVisualRectInBacking blink::ScrollControlVisualRect Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=464127:464479 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=465403:465427 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv969VmVaz6Pe6HEeffcHE5s0xeiIdPtSDLa-68nGpsO1e_UDeFRaO82cvJlmOw0BETqKQdwyE6P-OEsoXaWHbm4x13U2995jRDnSywmh4Hlw1wNioAI-YG9KWG8PFwOT74JX1iB7BXXwLDVmsGGSzeje3qElzUwqo8tza06KIbjNKxUcAmaGB-RRrDOfEAqlQ2TgIXYixac4xNrOahaXFtgJyZV0TZ_5wxYt-iKMUU0fpObcfbApFfyFVq4exc7Ed0Dfa_zkVgZTLR-mnUpBDNbHum_3AdUVhAEi9pMIcODWzfV1K7Q6_pMSzzgSjw29cM-8jjZPMpcO8dkqCOaXnjsvdBJ3Xt6_Ks1jSFpmafaxhUDSeBM?testcase_id=6072549936201728 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 19 2017
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by msrchandra@chromium.org
, Apr 19 2017Components: Blink>Paint
Labels: M-60 Test-Predator-Wrong
Owner: dcheng@chromium.org
Status: Assigned (was: Untriaged)