CHECK failure: !NeedsCellRecalc() in LayoutTableSection.cpp |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5530685761912832 Fuzzer: inferno_twister Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !NeedsCellRecalc() in LayoutTableSection.cpp Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=458202:458266 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5530685761912832 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 21 2017
,
Aug 22 2017
,
Sep 26 2017
foolip@, can you take a look at the slightly reduced attached testcase? It flakily crashes. When it crashes, the first call to LayoutBox::MarkOrthogonalWritingModeRoot() comes in eventual response to Fullscreen::FullscreenElementChanged() here: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/fullscreen/Fullscreen.cpp?type=cs&sq=package:chromium&l=913 When it doesn't crash, the first call to LayoutBox::MarkOrthogonalWritingModeRoot() comes in eventual response to Document::FinishedParsing(). Ideas on how to eliminate this race? Or because the repro uses eventSender to start the race between fullscreen and parsing, should we just mark this as WontFix?
,
Sep 26 2017
We also, at least intermediately, get this LayoutTree, which may wrong:
LayoutView #document
LayoutBlockFlow HTML
* LayoutBlockFlow BODY
LayoutTable (anonymous)
LayoutTableSection (anonymous)
LayoutTableRow (anonymous)
LayoutTableCell (anonymous)
LayoutBlockFlow (anonymous)
LayoutFullScreen (anonymous) (positioned)
LayoutTable (anonymous)
LayoutTableSection DIV id="test" style="display: table-footer-group"
LayoutBlockFlow P
I'm guessing that we start with
LayoutTable (anonymous)
LayoutTableSection DIV id="test" style="display: table-footer-group"
then LayoutFullScreen::WrapLayoutObject tries to create:
LayoutTable (anonymous)
LayoutFullScreen (anonymous) (positioned)
LayoutTableSection DIV id="test" style="display: table-footer-group"
which triggers anonymous table wrappers both above and below LayoutFullScreen.
I also see that allowing a table section to go full screen is explicitly tested for in https://cs.chromium.org/chromium/src/third_party/WebKit/LayoutTests/fullscreen/full-screen-table-section.html by using eventSender, which shoots down the previously proposed option of marking this as WontFix.
,
Sep 26 2017
Scratch what I said in comment 4: "When it crashes, the first call to LayoutBox::MarkOrthogonalWritingModeRoot() comes in eventual response to Fullscreen::FullscreenElementChanged()" It can also crash when Document::FinishedParsing() is on the call stack, as is the stack in the CF report. There is still a race though: only sometimes is the TableSection removed from the orthogonal writing mode root list before those roots are laid out. Fullscreen might be a red herring, but I see there's been issues with fullscreen and orthogonal writing mode roots in the past, so leaving the component on. About to send a review to kojii@.
,
Sep 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cf81d453117bd11ef946e052d153b2b56fa7d151 commit cf81d453117bd11ef946e052d153b2b56fa7d151 Author: David Grogan <dgrogan@chromium.org> Date: Thu Sep 28 00:42:09 2017 [css-writing-modes] Don't pre-layout table parts Most layout objects that have a writing mode orthogonal to their parents are laid out early so that the parents can know the children's widths before computing their own preferred widths. ( https://crbug.com/550963 ) But table parts can't be laid out on their own, only in the context of their table ancestor. Bug: 719211 Change-Id: Ia2a56127c6d4e6c0239324a478cb664ceeed0e30 Reviewed-on: https://chromium-review.googlesource.com/685900 Reviewed-by: Koji Ishii <kojii@chromium.org> Commit-Queue: David Grogan <dgrogan@chromium.org> Cr-Commit-Position: refs/heads/master@{#504825} [add] https://crrev.com/cf81d453117bd11ef946e052d153b2b56fa7d151/third_party/WebKit/LayoutTests/fast/table/table-parts-not-ortho-writing-mode-root-expected.txt [add] https://crrev.com/cf81d453117bd11ef946e052d153b2b56fa7d151/third_party/WebKit/LayoutTests/fast/table/table-parts-not-ortho-writing-mode-root.html [modify] https://crrev.com/cf81d453117bd11ef946e052d153b2b56fa7d151/third_party/WebKit/Source/core/frame/LocalFrameView.cpp
,
Sep 28 2017
ClusterFuzz has detected this issue as fixed in range 504805:504875. Detailed report: https://clusterfuzz.com/testcase?key=6314045065134080 Fuzzer: inferno_twister Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !NeedsCellRecalc() in LayoutTableSection.cpp blink::LayoutTableSection::UpdateLayout blink::LocalFrameView::PerformLayout Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=419755:419848 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=504805:504875 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6314045065134080 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 28 2017
ClusterFuzz has detected this issue as fixed in range 504805:504875. Detailed report: https://clusterfuzz.com/testcase?key=5530685761912832 Fuzzer: inferno_twister Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !NeedsCellRecalc() in LayoutTableSection.cpp blink::LayoutTableSection::UpdateLayout blink::LocalFrameView::PerformLayout Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=458202:458266 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=504805:504875 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5530685761912832 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 28 2017
,
Sep 28 2017
ClusterFuzz testcase 5530685761912832 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Aug 16 2017