New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 713332 link

Starred by 2 users
Status: Verified
Owner:
jaydasika@chromium.org
Last visit > 30 days ago
Closed: Apr 2017
Cc:
weiliangc@chromium.org
ifratric@google.com
ajuma@chromium.org
sunxd@chromium.org
enne@chromium.org
msrchandra@chromium.org
jaydasika@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Crash in cc::ListContainerHelper::Allocate

Project Member Reported by ClusterFuzz, Apr 19 2017

Comment 1 by mummare...@chromium.org, Apr 20 2017

Components: Internals>Compositing
Labels: M-60 Test-Predator-Wrong
Owner: sunxd@chromium.org
Status: Assigned (was: Untriaged)
Through code search on file render_surface_impl.cc, suspected CL is
https://chromium.googlesource.com/chromium/src/+/bb0b3ae9224e1883dd491b6b6810b6bfe0da8480%5E%21/cc/layers/render_surface_impl.cc

Comment 2 by sunxd@chromium.org, Apr 20 2017 

The crash still happens after I revert to the commit before my CL. I have tested the current stable version and canary version, it broke between (58.0.3029.81) dbbd95bace5f6a49951a5af485e009da9f20c763 and (60.0.3076.2) 7d214605ac31d0af2a5fa5438079272ffc098b38.

Comment 3 by sunxd@chromium.org, Apr 20 2017

Owner: jaydasika@chromium.org
I manually bisected and found this CL: https://chromium.googlesource.com/chromium/src/+/1553a14bd799b2dd09bebeeeda934379318eaf7e

jaydasika@, can you take a look at this bug?

Comment 4 by jaydasika@chromium.org, Apr 22 2017

Cc: ajuma@chromium.org weiliangc@chromium.org enne@chromium.org
This is another bad floating point case. The crash is because a render surface(created by fixed pos element) is trying to draw into a target that itself is not drawn. Before my CL, we were lucky that the render surface ended up with empty content rect and was getting dropped before it tried to draw into a non-existent target.

The fix pos element's render surface doesn't get skipped but the target it draws into is skipped because of singular transform. This should actually not happen as the transform between a fix pos's transform node and its target's transform node should be atmost translation. But, I have logged it and its not the case for this page :

[ +0.0000 +0.0000 +0.0000 +29.0000  
  +0.0000 -1.0000 +0.0000 +67108856.0000  
  +0.0000 +0.0000 +1.0000 +0.0000  
  +0.0000 +0.0000 +0.0000 +1.0000 ]

Comment 5 by jaydasika@chromium.org, Apr 24 2017

Cc: msrchandra@chromium.org sunxd@chromium.org jaydasika@chromium.org
 Issue 714431  has been merged into this issue.
Project Member

Comment 6 by ClusterFuzz, Apr 24 2017

Labels: OS-Mac
Project Member

Comment 7 by ClusterFuzz, Apr 29 2017 

ClusterFuzz has detected this issue as fixed in range 468145:468195.

Detailed report: https://clusterfuzz.com/testcase?key=5227755907317760

Fuzzer: ifratric-browserfuzzer-v3
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x000000ec
Crash State:
  cc::ListContainerHelper::Allocate
  cc::RenderPass::CreateAndAppendSharedQuadState
  cc::RenderSurfaceImpl::AppendQuads
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=464127:464504
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=468145:468195

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5227755907317760


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Apr 29 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5227755907317760 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment