New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 713503 link

Starred by 2 users
Status: Verified
Owner:
wangxianzhu@chromium.org
Closed: Apr 2017
Cc:
pdr@chromium.org
joelhockey@chromium.org
wangxianzhu@chromium.org
msrchandra@chromium.org
vmp...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows , All
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::PrePaintTreeWalk::Walk

Project Member Reported by ClusterFuzz, Apr 20 2017

Comment 1 by msrchandra@chromium.org, Apr 20 2017

Cc: msrchandra@chromium.org
Components: Blink>Paint
Labels: M-60 Test-Predator-Correct-CLs
Owner: joelhockey@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: joelhockey
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/5d84a680108877c6a9c526b3e0711913a85245e5
Time: Thu Apr 13 06:51:09 2017
Lines 303 of file PrePaintTreeWalk.cpp which potentially caused crash are changed in this cl (frame #3, "blink::PrePaintTreeWalk::Walk"; frame #4, "blink::PrePaintTreeWalk::Walk"; frame #5, "blink::PrePaintTreeWalk::Walk"; frame #6, "blink::PrePaintTreeWalk::Walk").
Minimum distance from crash line to modified line: 0. (file: PrePaintTreeWalk.cpp, crashed on: 303, modified: 303).

@joelhockey -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by schenney@chromium.org, Apr 20 2017

Cc: pdr@chromium.org wangxianzhu@chromium.org
Labels: PaintTeamTriaged-20170420 BugSource-Chromium

Comment 3 by wangxianzhu@chromium.org, Apr 20 2017

Cc: joelhockey@chromium.org
Owner: wangxianzhu@chromium.org
This is mine. Might have been fixed.

Comment 4 by wangxianzhu@chromium.org, Apr 20 2017 

Issue 712985 has been merged into this issue.

Comment 5 by wangxianzhu@chromium.org, Apr 20 2017

Labels: -M-60 ReleaseBlock-Stable M-59

Comment 6 by wangxianzhu@chromium.org, Apr 20 2017 

This is not fixed. Manually reduced test case:
crash-walk.html
254 bytes View Download

Comment 7 by wangxianzhu@chromium.org, Apr 20 2017

Labels: OS-All

Comment 9 by wangxianzhu@chromium.org, Apr 21 2017

Labels: Merge-Request-59
Project Member

Comment 10 by ClusterFuzz, Apr 21 2017 

ClusterFuzz has detected this issue as fixed in range 466183:466203.

Detailed report: https://clusterfuzz.com/testcase?key=5415251999981568

Fuzzer: miaubiz_svg_fuzzer
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x00000000
Crash State:
  blink::PrePaintTreeWalk::Walk
  blink::PrePaintTreeWalk::Walk
  blink::PrePaintTreeWalk::Walk
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=464127:464504
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=466183:466203

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94a-eLZC6-bBxamjyQwlLoWyz_ANi1GuzbmcZJpnVsHi3c-XE50KWTfT1p-x2wapAMNs6bTyotnwMlzPDNJ-mgw3nCCgfRHv18RkKt5-cB38DJ7aLXvhUQFkqy_llV5vAbTmZDn1DgluUjMSm4S6Kqng05TLhRQIEpY1GKauERap5GOshbcuEPhct8VoNwr26SjwYu3GLNn8XeaypoJvEbKOe_l_ru0at6aNeeyEGddZ_rAK673jIS4JbX6b8R01UdB3IH5q4S-bf-8qqM_j1oCKrBsXtmh_3rf0p-euy2m5Rk7MNu-oq-5t8675F7twBYfKLeHjWiQXqKSBBensGSzhl3KK2Kuj_dC0yVJCRHTUWzd1Rk?testcase_id=5415251999981568


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 11 by ClusterFuzz, Apr 21 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5415251999981568 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 12 by sheriffbot@chromium.org, Apr 22 2017

Labels: -Merge-Request-59 Hotlist-Merge-Approved Merge-Approved-59
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 13 by bugdroid1@chromium.org, Apr 22 2017

Labels: -merge-approved-59 merge-merged-3071
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0fc7773682fc99248d9ae044ffbde6aafd7f25ec

commit 0fc7773682fc99248d9ae044ffbde6aafd7f25ec
Author: wangxianzhu <wangxianzhu@chromium.org>
Date: Sat Apr 22 03:43:40 2017

Fix LayoutObject::SetSubtreeNeedsPaintPropertyUpdate() to set ancestor flags

BUG= 713503 

Review-Url: https://codereview.chromium.org/2831203002
Cr-Commit-Position: refs/heads/master@{#466194}
TBR=wangxianzhu@chromium.org
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2839463002
Cr-Commit-Position: refs/branch-heads/3071@{#142}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}

[modify] https://crrev.com/0fc7773682fc99248d9ae044ffbde6aafd7f25ec/third_party/WebKit/Source/core/dom/DocumentLifecycle.cpp
[modify] https://crrev.com/0fc7773682fc99248d9ae044ffbde6aafd7f25ec/third_party/WebKit/Source/core/layout/LayoutObject.h
[modify] https://crrev.com/0fc7773682fc99248d9ae044ffbde6aafd7f25ec/third_party/WebKit/Source/core/layout/LayoutObjectTest.cpp

Sign in to add a comment